Tweet
Plain text db connection password is stored in config.php/ config-internal.php. Can EspoCRM be enhanced to store the password in a more secure way? Thanks.
-
-
Where to store a crypt key? -
Take the key from environment perhaps?Comment
-
I find it too much, it does not really add more security. If one could execute a PHP code, they will have access to ENV either. We can't force password encryption by default as it will make installation harder, we will loose potential Espo users. So password encryption should be optional.
I recommend to set up your environment so that that having a stolen password won't give attacker any chance to access.Last edited by yuri; 08-02-2022, 12:56 PM.Comment
-
It's possible to write a custom PDOProvider implementation that will decrypt a password. It will take just a few minutes of work for a developer who already familiar with DI in Espo.
Here's the default implementation: https://github.com/espocrm/espocrm/b...DOProvider.phpComment
Comment