How to store your stellar secrets using PHP and Redis
An step-by-step guide
One of the challenge on building an application which works over any payment network is to keep user secrets secure. Usually, the best way to achieve this is that users store those secrets in their own devices (mobile apps, hardware wallets etc) but there may be cases when we would want to keep them centralized.
Is this article I am trying to share a very simple way to store them without using any external system (like cloud key management). This way could help in development environments where we do not need strong security features, but could be valid in production enviroments with strong secured backends.
Introduction
This article assumes you have knowledge of PHP, composer and redis.
Starting
Assuming you have a php enviroment installed with composer, the first thing to do is to install Stellar SDK for PHP:
composer require soneso/stellar-php-sdkGenerate encription keys to encrypt our stellar secrets
The next thing we need is to generate encryption keys to encrypt our stellar secrets. In order to do this, we will use php sodium library. This library comes with php from 7.2 version. For older versions you can install it using pecl. Assuming we are using php ≥ 7.2, let’s start creating our encryption keys
$decryptionKey = sodium_crypto_box_keypair();
$encryptionKey = sodium_crypto_box_publickey($decryptionKey);Now we have created our encryption keys, we have to store them in our Redis backend. We have several options to interact with redis with PHP. One of them is predis library. Installing it is really easy using composer
composer require predis/predisAfter having predis installed, we can store our encryption keys on redis
$client = new Predis\Client();
$client->set('stellar:dec', $decryptionKey);
$client->set('stellar:enc', $encryptionKey);With this simple piece of code, we already have our encryption keys stored in redis and we can get them every time we want to encode / decode an stellar secret. So, next step is to encode an stellar secret and store it on redis too.
Encoding stellar secrets and storing them
In order to create stellar secrets, we can use the class Soneso\StellarSDK\Crypto\KeyPair which is available since we’ve installed soneso library at the beginning of this article. From the key pair we can get the secret. Then we will use our encryption keys (already stored on redis) to encode the secret. Finally we will store the secret on redis.
$client = new Predis\Client();
$keyPair = KeyPair::random();
$secret = $keyPair->getSecretSeed();
$keySecretName = 'mykeysecretname'; // to identify it on redis
$encryptionKey = $client->get('stellar:enc');
$encodedSecret = sodium_crypto_box_seal($secret, $encryptionKey);
$client->set($keySecretName, $encodedSecret);Now we have our secret encoded and stored on redis. The last step will be retrieving it from redis and decoding it.
Retrieving stellar secrets from redis and decoding them
In order to retrieve and decode stellar secrets, we have to get our decryption key (already stored on redis). Then we have to get our secret from redis too, and finally use our decryption key to decode it.
$client = new Predis\Client();
$keySecretName = 'mykeysecretname'; // to identify it on redis
$decryptionKey = $client->get('stellar:dec');
$encodedSecret = $client->get($keySecretName);
$decodedSecret = sodium_crypto_box_seal_open($encodedSecret, $decryptionKey);And that’s all, we have retrieved and decoded our secret and we can use it to sign our transactions.
Conclusions
My aim with this article is to show a very easy way to store encoded stellar secrets on redis and be able to get them. I am sure there are a lot of better ways to achieving it, but i think it could help.
