php - How to deal with passwords, API keys, etc in development stack? (git, webservers, etc) -
i'm planning large php project commercial website dealing bitcoin-related services. attractive target hackers.
besides making site secure possible, i'm wrapping head around things like: database logins , passwords, public + private keys, secret authentication keys remote apis or external services, ssh keys, bitcoin wallets, etc.
obviously need them somewhere within php sources. put secret or sensitive details in separate include file (e.g. 'passwords.php'), place outside of http document root. visitors can never directly access file itself.
but there's more:
what hosting provider? of course have trust them if i'm hosting server them in first place, there can lower risk of employee abusing risky stuff such bitcoin exchange api keys?
git repositories: if host git reposities remotely, should keep passwords.php file out of git repository, make sure data doesn't leak anywhere? (but how go version control or distribute team members?)
strict communication policies: working multiple people, , want avoid ever emailing or plain-ftp'ing these sensitive details. people need access testing environment, not actual production server. how restrict access passwords.php (containing actual server logins etc) need it?
i have no clear idea yet how tackle these issues. have suggestions, or indication how set correctly?
this sounds quite undertaking. lots of risk involved. props going after goal.
as security, i'm no expert, best best heavy encryption. beyond that, think there vulnerabilities face when dealing external sources such isps , hosting providers. can't think that, , if can't it, need find new host.
i suggest hosting application using amazon web services. provide easy manage, secure, reliable web services. once start segmenting application out (db servers, cache clusters, media servers, etc) become less of 'i hope don't hacked' , more of 'i hope can manage crap myself!'.
i suggest seek seasoned full stack developer, or small team, emphasis on security , encryption. mtgox stuff went down treading down serious road, cautious , diligent. best of luck.