PHPackages                             uwdoem/secure-upload - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [File &amp; Storage](/categories/file-storage)
4. /
5. uwdoem/secure-upload

ActiveLibrary[File &amp; Storage](/categories/file-storage)

uwdoem/secure-upload
====================

Secure file upload with asymmetric encryption.

0.2.0(9y ago)0861PHP

Since Mar 10Pushed 9y ago2 watchersCompare

[ Source](https://github.com/UWEnrollmentManagement/secure-upload)[ Packagist](https://packagist.org/packages/uwdoem/secure-upload)[ RSS](/packages/uwdoem-secure-upload/feed)WikiDiscussions master Synced 4w ago

READMEChangelog (5)Dependencies (4)Versions (6)Used By (1)

[![Build Status](https://camo.githubusercontent.com/720932ce371852dbdf14db6d50da66da869538fd01df426d2001bfa9aa5c23a3/68747470733a2f2f7472617669732d63692e6f72672f5557456e726f6c6c6d656e744d616e6167656d656e742f7365637572652d75706c6f61642e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/UWEnrollmentManagement/secure-upload)

Secure-Upload
=============

[](#secure-upload)

This library is intended to help protect the contents of uploaded documents against an attacker who might gain file-system read-access to a PHP web application.

Using this library involves three main components:

1. A public/private key pair.
2. A web server for receiving uploaded documents. Uploaded documents are encrypted using the public key immediately upon upload, and then the unencrypted document is immediately destroyed.
3. A file server from which your authorized users can retrieve uploaded documents. You will provide a process which retrieves encrypted documents from the web server and decrypts these documents onto the file server using the private key. Of course, you are responsible for maintaining a file server which you trust to host these unencrypted documents.

Note that the private key does not live on web server. If an attacker were to gain read-access to your web server while there were documents waiting to be moved to your file server, then the attacker would only see a set of encrypted documents and they would not be able to retrieve the private key which would give them the ability to decrypt these documents.

Example
-------

[](#example)

For this example, we assume that:

1. Your web server is running Apache, \*nix, and of course PHP.
2. Your file server may be either \*nix or Windows.
3. We use (Composer)\[\] for package management, but you can modify the example to work without Composer.

This example *does not answer* how to move the encrypted files from the web server to the file server. On \*nix, you might choose to move them with an `rsync --delete ...` command. On Windows, you could use WinSCP. Using an `authorized_keys` file, it's possible to create an automated job on either \*nix or Windows which could move these files over automatically.

### Create a Private/Public Key Pair

[](#create-a-privatepublic-key-pair)

To create a private, public key pair in \*nix:

```
  openssl genrsa -out my_key_name.pem 4096
  openssl rsa -in my_key_name.pem -pubout > my_key_name.pub

```

You should put the public copy of your key (`my_key_name.pub`) onto your web server. But you should **not** put the private copy of your key (`my_key_name.pem`) onto your web server. The private copy of your key will need to be on your file server.

### Sample Web Application

[](#sample-web-application)

Web application structure:

```
mywebapp
├── composer.json
├── index.php
├── cert
    ├── .htaccess
    └── my_key_name.pub
└── uploads
    └── .htaccess

```

The `uploads` directory must be writable to your Apache user. For example, you might use `chmod o+w uploads`.

The `composer.json` specifies the `uwdoem/secure-upload` package as a requirement. You'll need to run `composer install` to install this package and the `vendor` directory.

composer.json:

```
{
    "require": {
        "uwdoem/secure-upload": "^0.2.0"
    }
}

```

We place `.htaccess` files that block visitor access to the `cert` and `uploads` directories.

cert/.htaccess:

```
deny from all

```

uploads/.htaccess:

```
deny from all

```

The `index.php` is our primary page.

index.php:

```

Your file has been uploaded.
