Essentially, I have a file that the plugin reads and needs to be encrypted.
Something like an RSA encryption would do, but I need to be able to decrypt the file in my plugin. Is it possible to store an encryption key on the client side without it being vulnerable to a skilled hacker?
Any input appreciated, thanks.
short answer. no.
If you encrypt anything, you have to keep the private key secret. You can’t ship it with your plugin. Any attempt to obfuscate the key can be un-obfuscated.
The only secure way is a public/private encryption, where you encrypt on the server with a private key and the plugin has the public key built in. So the plugin can decrypt the license file (and therefore the attacker can as well), but the attacker cannot forge a new license file.
But an attacker can ofc. replace the built in public key, so the plugin reacts now to their license files rather than the original.
You can now add a check somewhere else of the integrity of the built in public key and the cat-mouse race goes into the next round…
Hmm this sounds promising, but unfortunately for my purposes (not actually for licensing) I need to be able to write to the file as well from the plugin. Honestly just writing that I kinda realize it would be almost impossible to 100% secure that even if the key could be stored locally.
For my purposes I would almost compare it to like a save file in a game. I need to make sure the save file hasn’t been tampered with. I suppose I could do like md5 hash checking, but I guess as you’re saying this would just add another layer to the cat and mouse race.
