tags:

views:

88

answers:

3
Q: 

What is the best way to send a secure email in PHP

I wrote a PHP script which will run every Monday using cron. In this email I am attaching an XLS document which contains sensitive information. What is the best way to secure this email? Can I set a password on the XLS document? Can I encrypt the email and only allow the correct receiver to have authorization to open it?

I am using PHPExcel to create the XLS docuement, in case this helps.

Thanks for any help!
Metropolis

+1  A: 

You could encrypt this e-mail with the recipient's public key/certificate using GPG or S/MIME.

This could be a good starting point: http://www.php.net/manual/en/function.openssl-public-encrypt.php

Bruno  2010-07-06 15:36:26
+5  A: 

Encrypting the email is the most secure way to do it IMHO. If you have control of the server you can install GPG and call it from the command line to encrypt the email with a secret key. The downside is the recipient will require a plugin to their email client and the public key to decrypt the message with.

A slightly less secure way but easier on your end user is to send a plain email containing a link for the person to download the XLS file. The XLS file is then stored behind a password protected area. Use HTTPS to encrypt the page and the download. Additionally you could create a one time HASH using MD5, or better, SHA256 that is generated by the PHP script and stored in a database in relation to the file. Send that as a link parameter and have it expire. That makes it much more difficult for an unintended person to access the link.

The second method also has the benefit of being available on any host that will let you do SSL. No need to have special access to the server.

Cfreak  2010-07-06 15:41:20
+1 for mentioning e-mailing a link
Mark Baker  2010-07-06 16:07:27
If I was to encrypt the email using GPG, do all email clients need a plugin to make the process easy for the client? The best solution may very well be what you suggested about keeping the file behind a password protected area.
Metropolis  2010-07-06 18:01:36
@Metropolis: yes all clients would need a plug-in.
Cfreak  2010-07-06 22:25:07
+1  A: 

PHPExcel don't support passwords (yet) and AFAIK passwords on Excel files are not 100% secure (only Office 2007+ are good at securing files). The best way would be to encrypt the file before attaching it to the email and then decrypt it after you receive it. If you can encrypt it with GnuPG under your PHP installation (see this) there is a plugin for Thunderbird and Seamonkey mail clients called Enigmail which will automate the decryption process.

AlexV  2010-07-06 15:48:55
I will not be able to get GnuPG installed on the host that we are using alex. If I use openssl_public_encrypt, are there plugins for that encryption type? Also, how can I encrypt the file being sent? It seems like these things only encrypt data.
Metropolis  2010-07-06 21:16:02
No, I'm not aware of other plugin for other types of encryption. You can encrypt a file with openssl_public_encrypt. Just load the content of the file with something like file_get_contents, encrypt it with openssl_public_encrypt then write the encrypted result with something like fwrite and finally attach this file to your email.
AlexV  2010-07-07 12:38:01
I need the file to be in xls format though. If I encrypt the data in this way, and not use PHPExcel, will that still work? Or is there a way to output the encrypted data using PHPExcel?
Metropolis  2010-07-07 12:50:37
1) You create your file with PHPExcel and save it on your server somewhere. 2) You encrypt the file as I shown in previous comment. 3) You save (overwrite or save in another file) the encrypted file. 4) You attach the encrypted file to your email. 5) The customer that receive the email must decrypt the file he received (probably with an app you will have made for him). 6) After the decryption the file is readable in Excel.
AlexV  2010-07-07 13:25:40

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases