security - Where should I store an encryption key for php?

Question

I'm writing a php application that accepts sensitive customer data, and so I need to encrypt it before storing it in a mysql database. I'm going to use mysql's built-in AES functionality to do column-level encryption.

I want to avoid storing the encryption key on the server, and so i'm going to provide a web-page for an administrator to log-in, and enter the encryption key. I want to store this key in memory while the application is running, but never permanently to disk.

What is the best way to do this?

Can I modify the $_SERVER array to store information between requests? Can I store the key with apache in some way? Maybe shared memory?

Answer 1

Rather than rely on MySQL AES for encryption, why not use PHP's native openssl encryption scheme (a PECL extension). This requires a private and public key, public to encrypt, private to decrypt, and the keys can be kept in separate places.