Tweet
Plain text db connection password is stored in config.php/ config-internal.php. Can EspoCRM be enhanced to store the password in a more secure way? Thanks.
-
-
Where to store a crypt key?If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks. -
Take the key from environment perhaps?Comment
-
I find it too much, it does not really add more security. If one could execute a PHP code, they will have access to ENV either. We can't force password encryption by default as it will make installation harder, we will loose potential Espo users. So password encryption should be optional.
I recommend to set up your environment so that that having a stolen password won't give attacker any chance to access.Last edited by yuri; 08-02-2022, 12:56 PM.If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.Comment
-
It's possible to write a custom PDOProvider implementation that will decrypt a password. It will take just a few minutes of work for a developer who already familiar with DI in Espo.
Here's the default implementation: https://github.com/espocrm/espocrm/b...DOProvider.phpIf you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.Comment
Comment