How can we help?

Table of Contents

How MainWP Stores 3rd-Party API Keys and Other Sensitive Data

As of MainWP version 4.5, MainWP introduced a better encryption system for storing 3rd-Party API Keys and Login details.

To provide better security for MainWP users, we implemented a more complex encryption process to store sensitive data in the MianWP Dashboard, as per the industry security standards.

Please note that this does not include data that may be created by third-party plugins on the Child Sites.

Let's take one of the MainWP Extensions used for backups. MainWP will securely encrypt API key used by the MainWP extension. However, we do not encrypt data or backups which may be created by the respective backup plugin on a  Child Site.


The process now includes:

  • IV (Initialization Vector) as 16 chars random string
  • Authentication data
  • AES GCM (Galois Counter Mode) encryption via PHPSecLib
  • Usage of PHPSecLib (version 3) `Random` class for generating random strings
  • Usage of Key File

What is AES GCM

AES GCM (Galois Counter Mode) is a stream cipher mode for AES. It is based on the CTR mode but is converted into a stream cipher. This provides low latency in the encryption/decryption process and is fast to process. As it is a stream cipher, it does not require padding.

Along with this, it integrates AEAD (Authenticated Encryption with Associated Data) for the authentication of the message. With AES-GCM, we have an encryption key and a message and then generate the cipher, a random nonce, and an authentication tag (a Message Authentication Code (MAC)).

Process Workflow

  1. Create Encryption Key as 32 chars random string by using PHPSecLib (version 3) Random class
  2. Create IV (Initialization Vector) as 16 chars random string by using PHPSecLib (version 3) Random class
  3. Initialize AES GCM encryption instance
    1. Set previously created encryption key from Step 1
    2. Set encryption nonce with previously created IV from Step 2
    3. Set Authentication data
  4. Encrypt value (3rd-Party API Key) via AES GCM Encryption
  5. Generate AES Tag
  6. Generate Encrypted Value by merging IV from Step 2, previously encrypted data from Step 4, and AES tag from Step 5
  7. Encode the encrypted value from Step 6 with base64_encode() and save it
  8. Save the Key File
  9. Save the Key File info to the Database

How MainWP Stores 3rd-Party API Keys and Other Sensitive Data 1

Still Have a Questions?
Search for additional solutions in the MainWP Community or start your own discussion