This documentation details how to install PHPCredLocker, but there are a few pre-requisites
- MySQL (with an empty database already created)
- PHP > 5.2 (5.3 recommended as you can use OpenSSL instead of MCrypt)
- SSL certificate installed (optional, but highly recommended)
So long as you satisfy these requirements, you should be ready to install. Grab PHPCredLocker from GitHub.
Extract the archive into a directory on your webserver.
Permissions may be correct straight away, but it's unlikely. Many systems will use 755 permissions, but for security reasons we cannot allow this (do you really want to allow all users to read your crypto keys?). So set the following permissions recursively (whether by using chmod or in your FTP/File Manager)
- /conf 760
- /plugins 760
- /sessions 760
Make sure the above directories (and their contents) are owned by whichever user your webserver runs as (if you use CPanel it'll generally be the same user as you log into CPanel as.). This may be nobody, apache, root (if so, you've got problems) or some other user (if you have suExec enabled).
Note: There's no reason you can't set all the PHPCredLocker files/directories to 760, but the ones listed above must be set to deny access to users who are not either the owner or part of the owning group - you could also deny access to group if you wished.
With the permissions set correctly, the installer should be able to function. Browse to your new install in a webbrowser (i.e. if you extracted into a directory called PHPCredlocker you'd go to http://yourdomain/PHPCredlocker). The installer should start and run a few checks.
The installer will only let you proceed if all checks are passed
This screen sets the main configuration options, think carefully about the options you set and the possible security implications. Is 30 seconds too long to leave a password displayed on screen?
Session Expiry shouldn't be set too low, users' sessions will expire regardless of activity (to limit the amount of time an unauthorised person will have in the system if one of your users leaves their machine unattended).
Password strength should be set as high as you can bear. It doesn't matter what security enhancements have been applied to PHPCredLocker if your users are allowed to use easily guessable passwords - an attacker would simply be able to log-in and have PHPCredLocker decrypt the data for them to view!
Force SSL should only be switched on if you have a valid SSL certificate installed and available for use (i.e. https://yourdomain works).
This is one of the most important set-up stages as the choices you make here will dictate how secure your install is.
Encryption Engine: If OpenSSL is available on your system, it will be pre-selected as it is the recommended engine. The only time you may want to prefer MCrypt over SSL is if you're migrating data across from an older system that didn't have OpenSSL.
Key Length: The longer the key, the more secure the crypto. There is, however, a performance penalty involved with longer keys. PHPCredLocker currently supports up to 9024 bits.
The engine specific settings will only be displayed if the relevant libraries are installed and available
OpenSSL Specific Settings
Algorithm: Allows you to select which encryption algorithm will be used. Due to the way OpenSSL output's supported modes, each will currently be displayed twice - one uppercase, one lowercase. At time of writing des-cbc and aes-128-cbc have been most heavily tested.
MCrypt Specific Settings
Algorithm: Allows you to select the encryption algorithm. Due to the way in which MCrypt outputs supported modes, each mode will currently be displayed twice - one in uppercase, one in lowercase.
Mode: Allows you to select the encryption mode.
Random keys are an incredibly important element of good encryption. Whilst servers can generate seeming random strings with ease, generating a truly random string can be very difficult. If an attacker finds a way to calculate your random string, the key can be compromised.
For this reason, users are generally asked to help generate some entropy. PHPCredLocker is no different, and you'll be asked to help generate entropy for the following encryption keys.
- Authentication - Used to encrypt your PHPCredLocker login details
- CredType - Used to encrypt credential type descriptions
- Customer - Used to encrypt customer details
- Group - Used to encrypt Group descriptions
To help generate entropy, simply move your mouse randomly within the box whilst clicking regularly. Once enough entropy has been gathered the box will turn green. Click the 'Generate Key' button to continue.
Create Administrator Account
The final configuration step is to create an administrator account. You can use whatever username you wish (try to avoid admin or root - they're a little easy to guess!) and the minimum password strength is whatever you set earlier in the installation process.
Remove Install Directory
For security reasons, the Install directory must be removed before you can use the system, the installer will attempt to do this automatically but if it fails you will need to manually delete the directory.
You should now be able to browse to http://yourdomain/PHPCredLocker (if you set Force SSL to on, it'll redirect you to the https URL)
You should now complete the Post Installation steps.
Most errors will require you to rectify the issue and start the installer again. However you may receive the error
Could not Obfuscate Plugin path, you will need to do this manually
This relates to measures taken to help prevent an attacker from identifying which plugins you have installed. To manually obfuscate the path, do the following
Within the directory plugins there is a directory named Blargle. Rename this to something random (we'll assume you called it BadgerLickers)
Edit conf/plugins.php and add the following line
defined("CREDLOCK_PLUGIN__PATH") or define('CREDLOCK_PLUGIN__PATH','plugins/BadgerLickers');
Save and close the file. Job done!