I had made some correction:
Michael Plourde Wrote:
-------------------------------------------------------
> Could it be a good idea to store the key in a
> "web-application only readable" file in a non-web
> accessible directory ?
>
> Example:
>
> The path to the web site: /home/httpd/www/
>
> The path to the key: /home/httpd/include/
>
> The web-application is running as "webd" user and
> the file is readable only by that user.
>
> File could be binary and encrypted to increase
> security, using web-application or a binary program
on the server itself to encrypt the file.
>
> Path to the file-encoder and decoder:
>
> /usr/sbin/
>
The web-application can use system() function to execute shell decoder on the file.
> So the only way to read the file
(without using web-application) would be to
> loggon the server itself as "super user" and use file-decoder. Credit
> card data or other data is then protect by
> web-application encryption using a key that is
> stored in a file encrypted.
>
> Any comment ? Is it a good idea ? Is there some
> leak point ?
>
> Michael Plourde