Support » Plugin: Cloudflare » Encryption at rest of cloudflare_api_key

  • Hi
    I was trialling the CloudFlare integration with this plugin but noticed that the cloudflare_api_key isn’t encrypted at rest. Is there a way to enforce this via hook/have this implemented?
    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hi,

    We don’t encrypt the API key because there is no way to securely store the decryption key. In order to steal your API key you would need install a malicious plugin or your server would have to be compromised. In either of these cases the attacker would have access to the decryption key (or the plain text API key) so encrypting it doesn’t help much.

    That being said if you’re aware of a way we could store the API key more securely we would love to hear!

    Thanks,
    John

    Thread Starter mclaurent

    (@mclaurent)

    Hi John

    You are correct. However we would like to combat a potential risk of just the database being compromised. Many WP sites use third party backup tools (say BackupBuddy, VaultPress, CodeGuard), to keep a snapshot of the database somewhere safe in case the server suffers a fault or something fatal happens to the server. If the third party is being attacked and the database downloaded, the attackers would easily be able to find the unencrypted CF credentials. Another scenario would be with shared hosts not keeping their servers secure or a remote database server that is compromised.

    The simplest solution would be using one of the salt values in the wp-config.php to encrypt/decrypt the credentials. If attacks managed to break into the database and not the filesystem, they would only be able to see the encrypted information and not be able to access the salt-keys they would require to decrypt the credentials.

    Thanks

    • This reply was modified 4 years, 3 months ago by mclaurent.
    • This reply was modified 4 years, 3 months ago by mclaurent.

    All valid points. I’m not opposed to this idea. I’ve opened PI-1230 internally to track adding this to the WordPress plugin.

    Thanks,
    John

    Thread Starter mclaurent

    (@mclaurent)

    Hi John,

    Have you heard back about this feature at all?

    Thanks

    Hi @mclaurent,

    We have created the ticket regarding the issue. In our future releases this feature should be added. Currently we don’t have a date for our next plugin release.

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Encryption at rest of cloudflare_api_key’ is closed to new replies.