philiprehberger/php-crypt
vv1.1.038 downloadsMIT
Secure-by-default encryption with AES-256-GCM and key rotation
$
composer require philiprehberger/php-cryptREADME
PHP Crypt
Secure-by-default encryption with AES-256-GCM and key rotation.
Requirements
- PHP 8.2+
- ext-openssl
Installation
composer require philiprehberger/php-crypt
Usage
Basic Encryption
use PhilipRehberger\Crypt\Crypt;
$key = Crypt::generateKey();
$encrypted = Crypt::encrypt('sensitive data', $key);
$decrypted = Crypt::decrypt($encrypted, $key);
Additional Authenticated Data (AAD)
Bind ciphertext to a context so it cannot be used elsewhere:
$encrypted = Crypt::encrypt('data', $key, aad: 'user:42');
$decrypted = Crypt::decrypt($encrypted, $key, aad: 'user:42');
Key Rotation
Re-encrypt data when rotating keys:
$rotated = Crypt::rotate($encrypted, $oldKey, $newKey);
Array Encryption
Encrypt and decrypt arrays (serialized as JSON):
$encrypted = Crypt::encryptArray(['name' => 'Alice', 'role' => 'admin'], $key);
$data = Crypt::decryptArray($encrypted, $key);
JSON Encryption
Encrypt and decrypt any JSON-serializable value:
$data = [
'user' => ['name' => 'Alice', 'email' => 'alice@example.com'],
'roles' => ['admin', 'editor'],
];
$encrypted = Crypt::encryptJson($data, $key);
$decrypted = Crypt::decryptJson($encrypted, $key); // returns the original structure
Key Validation
Check the strength of an encryption key:
$result = Crypt::validateKeyStrength($key);
// ['valid' => true, 'bits' => 256, 'recommendation' => null]
$weak = Crypt::validateKeyStrength(base64_encode('short'));
// ['valid' => false, 'bits' => 40, 'recommendation' => 'Key is 40-bit. A minimum of ...']
KeyChain (Multi-Key Management)
Manage key rotation transparently — encrypts with the current key, decrypts with any known key:
use PhilipRehberger\Crypt\KeyChain;
$chain = new KeyChain($newKey, $oldKey1, $oldKey2);
$encrypted = $chain->encrypt('data');
$decrypted = $chain->decrypt($encryptedWithAnyKey);
// Re-encrypt all ciphertexts with the current key
$rotated = $chain->rotateAll($ciphertexts);
API
Crypt (Static)
| Method | Description |
|---|---|
generateKey(): string | Generate a random base64-encoded 32-byte key |
encrypt(string $data, string $key, ?string $aad = null): string | Encrypt data with AES-256-GCM |
decrypt(string $encrypted, string $key, ?string $aad = null): string | Decrypt AES-256-GCM ciphertext |
rotate(string $encrypted, string $oldKey, string $newKey): string | Re-encrypt data with a new key |
encryptArray(array $data, string $key): string | Encrypt an array as JSON |
decryptArray(string $encrypted, string $key): array | Decrypt a JSON-encoded array |
encryptJson(mixed $data, string $key): string | JSON-encode any value then encrypt |
decryptJson(string $encrypted, string $key): mixed | Decrypt then JSON-decode |
validateKeyStrength(string $key): array | Check key bit length and strength |
KeyChain
| Method | Description |
|---|---|
__construct(string $currentKey, string ...$previousKeys) | Create a key chain |
encrypt(string $data): string | Encrypt with the current key |
decrypt(string $encrypted): string | Decrypt with any key in the chain |
rotateAll(array $ciphertexts): array | Re-encrypt all ciphertexts with the current key |
Exceptions
| Exception | When |
|---|---|
InvalidKeyException | Key is not a valid base64-encoded 32-byte string |
DecryptionException | Decryption fails (wrong key, tampered data, invalid ciphertext) |
Development
composer install
vendor/bin/phpunit
vendor/bin/pint --test
vendor/bin/phpstan analyse
Support
If you find this project useful: