Search by 
philiprehberger / php-crypt
Secure-by-default encryption with AES-256-GCM and key rotation
Maintainers
Fund package maintenance!
v1.1.0
2026-03-23 06:08 UTC
Requires
- php: ^8.2
- ext-openssl: *
Requires (Dev)
- laravel/pint: ^1.0
- phpstan/phpstan: ^1.12|^2.0
- phpunit/phpunit: ^11.0
README
Secure-by-default encryption with AES-256-GCM and key rotation.
Requirements
- PHP 8.2+
- ext-openssl
Installation
composer require philiprehberger/php-crypt
Usage
Basic Encryption
use PhilipRehberger\Crypt\Crypt; $key = Crypt::generateKey(); $encrypted = Crypt::encrypt('sensitive data', $key); $decrypted = Crypt::decrypt($encrypted, $key);
Additional Authenticated Data (AAD)
Bind ciphertext to a context so it cannot be used elsewhere:
$encrypted = Crypt::encrypt('data', $key, aad: 'user:42'); $decrypted = Crypt::decrypt($encrypted, $key, aad: 'user:42');
Key Rotation
Re-encrypt data when rotating keys:
$rotated = Crypt::rotate($encrypted, $oldKey, $newKey);
Array Encryption
Encrypt and decrypt arrays (serialized as JSON):
$encrypted = Crypt::encryptArray(['name' => 'Alice', 'role' => 'admin'], $key); $data = Crypt::decryptArray($encrypted, $key);
JSON Encryption
Encrypt and decrypt any JSON-serializable value:
$data = [ 'user' => ['name' => 'Alice', 'email' => 'alice@example.com'], 'roles' => ['admin', 'editor'], ]; $encrypted = Crypt::encryptJson($data, $key); $decrypted = Crypt::decryptJson($encrypted, $key); // returns the original structure
Key Validation
Check the strength of an encryption key:
$result = Crypt::validateKeyStrength($key); // ['valid' => true, 'bits' => 256, 'recommendation' => null] $weak = Crypt::validateKeyStrength(base64_encode('short')); // ['valid' => false, 'bits' => 40, 'recommendation' => 'Key is 40-bit. A minimum of ...']
KeyChain (Multi-Key Management)
Manage key rotation transparently — encrypts with the current key, decrypts with any known key:
use PhilipRehberger\Crypt\KeyChain; $chain = new KeyChain($newKey, $oldKey1, $oldKey2); $encrypted = $chain->encrypt('data'); $decrypted = $chain->decrypt($encryptedWithAnyKey); // Re-encrypt all ciphertexts with the current key $rotated = $chain->rotateAll($ciphertexts);
API
Crypt (Static)
| Method | Description |
|---|---|
generateKey(): string |
Generate a random base64-encoded 32-byte key |
encrypt(string $data, string $key, ?string $aad = null): string |
Encrypt data with AES-256-GCM |
decrypt(string $encrypted, string $key, ?string $aad = null): string |
Decrypt AES-256-GCM ciphertext |
rotate(string $encrypted, string $oldKey, string $newKey): string |
Re-encrypt data with a new key |
encryptArray(array $data, string $key): string |
Encrypt an array as JSON |
decryptArray(string $encrypted, string $key): array |
Decrypt a JSON-encoded array |
encryptJson(mixed $data, string $key): string |
JSON-encode any value then encrypt |
decryptJson(string $encrypted, string $key): mixed |
Decrypt then JSON-decode |
validateKeyStrength(string $key): array |
Check key bit length and strength |
KeyChain
| Method | Description |
|---|---|
__construct(string $currentKey, string ...$previousKeys) |
Create a key chain |
encrypt(string $data): string |
Encrypt with the current key |
decrypt(string $encrypted): string |
Decrypt with any key in the chain |
rotateAll(array $ciphertexts): array |
Re-encrypt all ciphertexts with the current key |
Exceptions
| Exception | When |
|---|---|
InvalidKeyException |
Key is not a valid base64-encoded 32-byte string |
DecryptionException |
Decryption fails (wrong key, tampered data, invalid ciphertext) |
Development
composer install vendor/bin/phpunit vendor/bin/pint --test vendor/bin/phpstan analyse
Support
If you find this project useful: