• caglararli@hotmail.com
  • 05386281520

Are Symfony Secrets safe because both keys are saved on the server?

Çağlar Arlı      -    6 Views

Are Symfony Secrets safe because both keys are saved on the server?

After reading some articles about the EmeraldWhale-malware collecting sensitive credentials through Git I am looking for best-practices to use environment variables in a Symfony project.

  1. A option would be to set the environment variables at runtime like: DB_NAME=my_database DB_USER=my_user DB_PASSWORD=my_password symfony server:start By using this method you wouldn't even ever have a .env-file for production, mitigating the risk of even ever publishing the credentials through accidentally pushing a .env file to your VCS.

  2. I also took a look at Symfony Secrets. This seems way more secure then using global CLI variables or a .env. But because both the private- and public-key for this asymmetric encryption is saved on the server, how exactly is this more secure? An intruder accessing the server could still use the private-key to get the credentials (same for CLI variables), but in this case the private key could still be pushed to a VCS by accident like a .env-file?

So, what is the most secure and best-practice way to store your credentials in a Symfony project?