Summary
MainWP Dashboard version 5.3 adds encryption for private keys stored in your database, further strengthening security. These private keys are part of the system that ensures secure communication between your Dashboard and connected Child Sites. Encrypting them provides enhanced protection in the unlikely event of a database breach.
After upgrading, you’ll see a one-time prompt to encrypt the private keys for existing connections, where you just have to click “Encrypt Keys Now.” From then on, all new Child Sites will have their private keys encrypted automatically. This update enhances security while maintaining seamless functionality.
Private key encryption builds on MainWP’s already secure design. Communication between your Dashboard and Child Sites has always been protected with encryption, but this new feature adds another layer of defense by securing private keys stored in the database.
What if I dismiss the notification?
The notification can be restored from the Tools page. Navigate to:
MainWP Dashboard > Settings > Tools page
Click the Restore Info Messages button
The notification for encrypting the private keys will be displayed again
Click the “Encrypt Keys Now” button
What Is Private Key Encryption?
Private keys are an essential component of the secure connection between your MainWP Dashboard and Child Sites. These keys are used to sign requests sent from the Dashboard, while the corresponding public keys on the Child Sites verify the authenticity of those requests. Encrypting private keys ensures they remain inaccessible, even if someone gains unauthorized access to your database.
MainWP uses AES GCM encryption to protect private keys. This advanced encryption method ensures data confidentiality, integrity, and protection against tampering. Combined with features like Initialization Vectors (IV) and Authentication Tags, it makes the encryption process robust and resistant to attacks.
How It Works
MainWP 5.3 introduces private key encryption using the same secure framework that was implemented in version 4.5 for sensitive data like API keys. The process follows these steps:
Encryption Key Generation: A secure, 32-character random encryption key is generated using PHPSecLib’s
Randomclass.Initialization Vector (IV): A unique 16-character IV is created to ensure each encryption is distinct, even for identical data.
Encryption: The AES GCM algorithm encrypts the private key, producing:
The cipher (encrypted data).
An authentication tag, which validates data integrity and guards against tampering.
Storage: The encrypted data—including the IV, cipher, and authentication tag—is combined and encoded using
base64_encode(), then stored securely in the database.Key File Storage: The encryption key is saved in a separate, secure Key File, ensuring it is not accessible through the database.
This layered approach ensures that even if the database is compromised, the encrypted private keys cannot be decrypted without access to the Key File and associated encryption components.
Technical Breakdown: AES GCM Encryption
The private key encryption system in MainWP 5.3 leverages AES GCM (Galois Counter Mode) for its security and efficiency. Here’s how it specifically applies to securing private keys in your MainWP setup:
AES GCM (Galois Counter Mode): This encryption method ensures that private keys stored in your database are protected not just by encryption but also by authentication. The authentication tag generated during encryption verifies the integrity of the data, ensuring that it hasn’t been altered or tampered with. This adds an extra safeguard to MainWP’s already secure communication process.
IV (Initialization Vector): Every encryption session uses a unique, random IV, ensuring that even if the same private key were encrypted multiple times, the resulting encrypted values would always be different. This prevents patterns in encryption, reducing the risk of attacks.
Authentication Data: MainWP includes additional metadata during the encryption process to validate that the stored private keys are legitimate and untampered. This further strengthens the trustworthiness of the encrypted data.
Key Management: The encryption keys used to secure private keys are stored in a separate Key File, not in the database. This separation adds another layer of defense, ensuring that gaining access to the database alone does not expose your private keys.
By employing AES GCM with these features, MainWP ensures that private keys remain secure, resilient to tampering, and inaccessible even in the unlikely event of a database compromise.
Why This Matters
MainWP has always prioritized security, with encrypted communication between the Dashboard and Child Sites being a cornerstone of its design. Private key encryption is not a response to a flaw but an enhancement to an already secure system. By encrypting private keys stored in the database, MainWP provides an additional safeguard against potential database breaches.
Even in the unlikely event of a database compromise, encrypted keys remain inaccessible without the Key File and other encryption components. This update reflects MainWP’s proactive approach to adopting advanced security measures and keeping pace with evolving standards.