ionCube PHP Encoder External Key Protection Image

Last Updated – May 2024

The simple answer is to use a compiled code tool and implement as many security features as possible, but sometimes time can be a factor and other matters take precedence so less time goes into security. If your code is valuable then you really should spend time adding more layers of code protection (obfuscation, script licensing, encryption) and there is one feature in particular which sets ionCube apart from other tools, offers advanced protection for your PHP code and is fairly quick to setup.

We have talked about External Keys before but not when considering ‘what method is the fastest to setup?’ Security Vs Performance is something all developers have to consider at some point where improving one usually impacts the other negatively. We are firmly on the side of security of course but receive a lot of email from people who need to deploy very soon and unfortunately are out of time when it comes to security. In this situation you may be tempted to opt for a lower grade of protection which takes minimal time to implement but there is a solution which gives a greater level of protection and only takes a few minutes to setup! External Keys are quick to setup and give a high level of protection for your PHP code. Here is a quick run through of how to get set-up.

There are a few types of external keys you can add but we will focus on the simplest file-based external key. This method can be used in different ways but the fastest and easiest use is when you are deploying to your own servers since you will know the runtime location of the key.

A file-based external key requires a secret file as the key which, due to the nature of being ‘a secret’, should not be named ‘key.jpeg’. You should pick a file which blends in with other files and cannot be easily discovered. For our example we are using a simple image file which could be part of a website banner or maybe your website logo.

Then the second step is to setup the runtime path which is where the key will be located on your deployment server. You need to set this so that the Loader knows where to find your key but nobody else will know this location!

To summarise, the key file is something you select locally when setting up your encoding project and the runtime path is where the key file will be when you actually deploy your code.

If you are deploying to customer servers then you will need to tell them how to setup your project and part of that setup would be which folders go in what locations (and this would secretely include where your key goes). External Keys can also be based on a property in your license files as well as other methods described in our full user guides linked below. This article has speed of implementation in mind but if you do want to go all-in on security then Dynamic Keys (also covered in the links below) are an even more powerful option available with ionCube.

GUI Guide on Dynamic & External Keys

Full ionCube Command-line Guide


What about website security? Take a look at ionCube24 for a suite of tools offering malware protection, service monitoring, PHP/JS error reporting and more as we expand our collection of website tools.

What is the best way to protect my PHP code?