Our great sponsors
-
PHP Dotenv
Loads environment variables from `.env` to `getenv()`, `$_ENV` and `$_SERVER` automagically.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
So to get down to it, what are some of the best practices here? First off, things that you would normally do, like utilize some sort of secrets manager, that won't be available to you. You also can't utilize environment variables with apache. So you're going to have to have some sort of local secret (password/passphrase) to perform the encryption/decryption. With that said, mysql does provide AES encryption with their AES_ENCRYPT/AES_DECRYPT calls, so in that manner, yes you can safely store PII or other values in a shared MySQL. You can use a php library like https://github.com/vlucas/phpdotenv The decryption password(s) should be in the .ENV file Nothing prevents you from utilizing some scheme perhaps to provide multiple passwords if you want to, perhaps a separate one for each individual column you plan to encrypt.