Where to store files with read only sensitive data?

[VolCh]

For example RSA private keys for internal application's crypto tasks like outcoming TLS connection or simple crypting persistence data on application level, but not for incoming web-server's HTTPS connection.

I found in docs about sensitive data the only http://symfony.com/doc/3.2/best_practices/configuration.html#moving-sensitive-options-outside-of-symfony-entirely. But it is not suitable well when sensitive data is too large to store them in ENV and application's deploy user has write permission only to application root directory (excepts store files outside %kernel.root_dir%/../ and pass the path in ENV). We can store the data in %kernel.root_dir%/../var directory (like LexikJWTAuthenticationBundle by default), but usually application user (www-data for instance) has write permission to whole it and it seems not securely. Also afaik symfony var folder for data generated by application itself.

[javiereguiluz]

@VolCh thanks for reporting this issue. Fortunately, things have improved a lot since you reported this issue originally. In modern Symfony versions we have "env var processors" (https://symfony.com/doc/current/configuration/external_parameters.html) which let you store the credentials in files stored anywhere on your server and get their contents, JSON-decode them if needed, etc. So let's close this issue as fixed. Thanks!