Magebean Logo Magebean
← Back to Baseline

MB-R079API keys stored in env.php, not DB/plaintext

C12 Third‑party Config Security High

Secrets should live in app/etc/env.php or a secret manager, never in database rows or plaintext admin settings. Database‑stored keys tend to proliferate across environments and backups. Centralized storage simplifies rotation and restricts access via filesystem permissions.

Why it Matters

API keys, access tokens, and other credentials should never be stored in the Magento database or in plaintext configuration fields within the Admin UI. If compromised, attackers could dump the DB and extract keys for payment gateways, shipping providers, or marketing integrations.

Storing API keys in app/etc/env.php keeps them outside the database, under file system and deployment controls. This makes key rotation easier, prevents accidental leaks in DB backups, and aligns with secure secrets management practices.

Verification Steps

Database check

# Look for API keys stored in core_config_data
mysql -e "SELECT path, value FROM core_config_data WHERE path LIKE '%api%key%';"

# Expected: no plaintext API keys in DB

env.php check

# Inspect app/etc/env.php
grep -i "api" app/etc/env.php

# Expected: keys defined here instead of DB

Remediation / Fix Guidance

  1. Move all API keys from core_config_data into app/etc/env.php.
  2. Reference env.php values in config.php or modules instead of DB-stored settings.
  3. Ensure env.php is excluded from version control (.gitignore).
  4. Rotate any keys that were previously stored in plaintext in the DB.
  5. For higher security, integrate with a secrets manager (Vault, AWS Secrets Manager, Azure Key Vault) and inject keys into env.php during deployment.

Examples

Fail Example
# core_config_data entry
path  = payment/stripe/api_key
value = sk_live_abc123   # FAIL: plaintext in DB
Pass Example
# app/etc/env.php
'stripe' => [
  'api_key' => 'sk_live_abc123'
]
# PASS: key stored in env.php, not DB

References