rinzler / user-encryption
User asymmetric encryption wrapper using private and public keys for Crypton.
Maintainers
Requires
- php: ^8.2
- laravel/framework: ^11.0|^12.0
- paragonie/halite: ^5.1
- paragonie/pqcrypto_compat: ^0.3
- paragonie/sodium_compat: ^2
Requires (Dev)
- orchestra/testbench: ^9.0|^10.0
- phpunit/phpunit: ^11.0
This package is auto-updated.
Last update: 2026-05-03 23:02:50 UTC
README
Laravel package for per-user asymmetric encryption: legacy RSA-OAEP or ML-KEM-768 wraps the Halite / libsodium encryption secret; user content is sealed with Crypto::seal and unsealed with the user’s secret (typically from a session cookie after unlock).
Requires: PHP ^8.2, Laravel ^11 or ^12, paragonie/halite ^5.1, paragonie/pqcrypto_compat, paragonie/sodium_compat, and the host app’s App\User model with an encryption() relation and a uuid attribute (see tests/Stubs/App/User.php). Version is defined in composer.json.
Demo app (demo/)
A self-contained Laravel skeleton lives under demo/. It Composer-links the parent package from .. so you can run create / decrypt in a browser without installing from GitLab.
cd demo
composer install
cp .env.example .env && php artisan key:generate
touch database/database.sqlite
php artisan migrate --seed
php artisan serve
Package migrations load from ../src/migrations (no vendor:publish required for the schema). Optionally publish config: php artisan vendor:publish --tag=userencryption.
See demo/README.md for details and caveats (auto-login is dev-only).
Installation
composer require rinzler/user-encryption
Publish and run migrations:
php artisan vendor:publish --tag=userencryption
php artisan migrate
Register the service provider if discovery is disabled:
Rinzler\UserEncryption\UserEncryptionServiceProvider::class,
Routes ship with web, auth, and throttle:30,1 (30 attempts per minute per IP) so a standard Crypton install does not need extra route wiring for those concerns.
Routes
| Method | URI | Route name |
|---|---|---|
| POST | /encryption/new | user-encryption.new |
| POST | /encryption/decrypt | user-encryption.decrypt |
new— Create RSA + Halite key material, store inuser_encryption, set unlock cookie.decrypt— Submit passphrase to unlock master key and set the same style of cookie.
Use the default web stack (session, CSRF) from the browser. Unlock cookies use HttpOnly, Secure when config('session.secure') is true, and SameSite when your Laravel cookie jar supports session.same_site.
Database
Table user_encryption (after migrate): belongs_to, rsa_master_private_key, rsa_master_public_key (legacy RSA-OAEP PEM material; empty for ML-KEM-only rows), encryption_private_key, encryption_public_key, timestamps.
Main API
- Facade / container:
UserEncryption→Rinzler\UserEncryption\Support\UserEncryption(seeRinzler\UserEncryption\Facades\UserEncryption). Rinzler\UserEncryption\Support\UserEncryptiongenerateEncryptionKey($passphrase)— throwsRuntimeExceptionif OpenSSL key generation fails.generateAESKey()— Halite encryption keypair (hex-encoded material in the returned array; name is historical).encryptAESKey/decryptAESKey— RSA-OAEP wrap/unwrap of the Halite secret (falseon failure).encryptString($data, $publicKeyString)/decryptString($data)— Halite seal/unseal;decryptStringreturns a plain string and may throwHttpResponseExceptionfor redirects when the unlock cookie is missing or invalid.
See src/ for implementation details.
Tests
From a clone of this repo (dev dependencies include Orchestra Testbench 9 and PHPUnit 11):
composer install
composer test
Tests use Orchestra Testbench with an in-memory SQLite database and a test-only App\User under tests/Stubs/App/ (your production app supplies the real App\User).
Security
This package handles high-value secrets (keys in the DB, material in cookies). Use HTTPS in production (session.secure / APP_URL), keep a strong passphrase policy in your forms if you need more than required, and review your overall threat model (XSS, DB access, backups).
License
GNU General Public License v3.0 or later (SPDX: GPL-3.0-or-later).