keboola / object-encryptor
JSON object encryption library
Requires
- php: >=8.2
- ext-json: *
- ext-zlib: *
- aws/aws-sdk-php: ^3.209
- defuse/php-encryption: ^2.3
- google/cloud-kms: ^1.20
- keboola/azure-key-vault-client: ^4.1
- keboola/common-exceptions: ^1.2
- symfony/uid: ^7.2
- vkartaviy/retry: ^0.2
Requires (Dev)
- infection/infection: ^0.26
- keboola/coding-standard: ^15.0
- monolog/monolog: ^3.9
- phpstan/phpstan: ^1.8
- phpstan/phpstan-phpunit: ^1.0
- phpunit/phpunit: ^9.5
- sempro/phpunit-pretty-print: ^1.4
- symfony/dotenv: ^5.4|^6.0
- dev-main
- 2.13.1
- 2.13.0
- 2.12.0
- 2.11.1
- 2.11.0
- 2.10.0
- 2.9.0
- 2.8.1
- 2.8.0
- 2.7.1
- 2.7.0
- 2.6.0
- 2.5.0
- 2.4.0
- 2.3.0
- 2.2.2
- 2.2.1
- 2.2.0
- 2.1.0
- 2.0.0
- 1.0.0
- 0.4.2
- 0.4.1
- 0.4.0
- 0.3.2
- 0.3.1
- 0.3.0
- 0.2.0
- 0.1.4
- 0.1.3
- 0.1.2
- 0.1.1
- 0.1.0
- 0.0.8
- 0.0.7
- 0.0.6
- 0.0.5
- 0.0.4
- 0.0.3
- 0.0.2
- 0.0.1
- dev-roman-pat-88-akv-migration-decommissioning
This package is auto-updated.
Last update: 2025-06-10 09:08:00 UTC
README
Object Encryptor
Library provides interface for encrypting PHP arrays, stdclass objects and scalars. A cipher may contain additional metadata which limits the conditions under which it may be decrypted. The library uses the defuse/php-encryption encryption method with AWS KMS or Azure Key Vault managed keys or Google Cloud KMS.
Requirements
The library supports PHP 8.1+.
Usage
Entry point to the library is the ObjectEncryptorFactory class which creates instances of ObjectEncryptor class which
has encryptGeneric, encryptForComponent, encryptForProject, encryptForConfiguration, encryptForProjectWide
encryptForBranchType, encryptForBranchTypeConfiguration, encryptForProjectWideBranchType and corresponding decryptXXX
methods. The actual encryption and decryption mechanisms are implemented using Crypto Wrappers.
Crypto wrappers implement different verification methods using cypher metadata.
Usage
Initialize the library using the factory class:
$encryptor = ObjectEncryptorFactory::getEncryptor( new EncryptorOptions( 'my-stack', $kmsKeyId, $kmsRegion, $akvUrl ) ); $encryptor->encryptForComponent('secret', 'my-component');
Alternatively, you can use getAwsEncryptor and getAzureEncryptor and getGcpEncryptor to get cloud specific object encryptors.
Wrappers
Depending on the provided keys and parameters, the following wrappers will be available:
GenericKMSWrapper- AWS KMS wrapper forKBC::Secure::ciphers, requireskmsKeyIdandkmsRegion. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)ComponentKMSWrapper- AWS KMS wrapper forKBC::ComponentSecure::ciphers, requireskmsKeyId,kmsRegion,stackIdandcomponentIdProjectKMSWrapper- AWS KMS wrapper forKBC::ProjectSecure::ciphers, requireskmsKeyId,kmsRegion,stackId,componentIdandprojectId.ConfigurationKMSWrapper- AWS KMS wrapper forKBC::ConfigSecure::ciphers, requireskmsKeyId,kmsRegion,stackId,componentId,projectIdandconfigurationId.ProjectWideKMSWrapper- AWS KMS wrapperKBC::ProjectWideSecure::ciphers, requireskmsKeyId,kmsRegion,stackId, andprojectId.BranchTypeProjectKMSWrapper- AWS KMS wrapperKBC::BranchTypeSecure::ciphers, requireskmsKeyId,kmsRegion,stackId,componentId, projectIdandbranchType`.BranchTypeConfigurationKMSWrapper- AWS KMS wrapperKBC::BranchTypeConfigSecure::ciphers, requireskmsKeyId,kmsRegion,stackId,componentId,projectId,configurationIdandbranchType.BranchTypeProjectWideKMSWrapper- AWS KMS wrapperKBC::ProjectWideBranchTypeSecure::ciphers, requireskmsKeyId,kmsRegion,stackId,projectIdandbranchType.GenericAKVWrapper- Azure Key Vault wrapper forKBC::SecureKV::ciphers, requiresakvUrl. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)ComponentAKVWrapper- Azure Key Vault wrapper forKBC::ComponentSecureKV::ciphers, requiresakvUrl,stackIdandcomponentIdProjectAKVWrapper- Azure Key Vault wrapper forKBC::ProjectSecureKV::ciphers, requiresakvUrl,stackId,componentIdandprojectId.ConfigurationAKVWrapper- Azure Key Vault wrapper forKBC::ConfigSecureKV::ciphers, requiresakvUrl,stackId,componentId,projectIdandconfigurationId.ProjectWideAKVWrapper- Azure Key Vault wrapperKBC::ProjectWideSecureKV::ciphers, requiresakvUrl,stackId, andprojectId.BranchTypeProjectAKVWrapper- Azure Key Vault wrapperKBC::BranchTypeSecureKV::ciphers, requiresakvUrl,stackId,componentId, projectIdandbranchType`.BranchTypeConfigurationAKVWrapper- Azure Key Vault wrapperKBC::BranchTypeConfigSecureKV::ciphers, requiresakvUrl,stackId,componentId,projectId,configurationIdandbranchType.BranchTypeProjectWideAKVWrapper- Azure Key Vault wrapperKBC::ProjectWideBranchTypeSecureKV::ciphers, requiresakvUrl,stackId,projectIdandbranchType.GenericGKMSWrapper- Google KMS wrapper forKBC::SecureGKMS::ciphers, requiresgkmsKeyId. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)ComponentGKMSWrapper- Google KMS wrapper forKBC::ComponentSecureGKMS::ciphers, requiresgkmsKeyId,stackIdandcomponentIdProjectGKMSWrapper- Google KMS wrapper forKBC::ProjectSecureGKMS::ciphers, requiresgkmsKeyId,stackId,componentIdandprojectId.ConfigurationGKMSWrapper- Google KMS wrapper forKBC::ConfigSecureGKMS::ciphers, requiresgkmsKeyId,stackId,componentId,projectIdandconfigurationId.ProjectWideGKMSWrapper- Google KMS wrapperKBC::ProjectWideSecureGKMS::ciphers, requiresgkmsKeyId,stackId, andprojectId.BranchTypeProjectGKMSWrapper- Google KMS wrapperKBC::BranchTypeSecureGKMS::ciphers, requiresgkmsKeyId,stackId,componentId, projectIdandbranchType`.BranchTypeConfigurationGKMSWrapper- Google KMS wrapperKBC::BranchTypeConfigSecureGKMS::ciphers, requiresgkmsKeyId,stackId,componentId,projectId,configurationIdandbranchType.BranchTypeProjectWideGKMSWrapper- Google KMS wrapperKBC::ProjectWideBranchTypeSecureGKMS::ciphers, requiresgkmsKeyId,stackId,projectIdandbranchType.
During encryption, the wrapper has to be specified (each encryptXXX method uses one). During decryption,
the wrapper is chosen automatically by the cipher prefix. This means that decryptForConfiguration method is also
capable of decrypting ciphers created by encryptForComponent or encryptForProject ciphers.
If the wrapper is not available (key or parameters are not set or equal to those in the cipher),
the value cannot be deciphered and an exception is thrown.
Development
Prerequisites:
- configured access to cloud providers
- installed Azure CLI
az(and runaz login) - installed AWS CLI
aws(and runaws configure --profile YOUR_AWS_PROFILE_NAME) - installed GCP CLI
gcloud(and rungcloud auth loginorgcloud auth application-default login)
- installed Azure CLI
- installed
terraform(https://www.terraform.io) andjq(https://stedolan.github.io/jq) to setup local env - installed
dockerto run & develop the app
export NAME_PREFIX= # your name/nickname to make your resource unique & recognizable export AWS_PROFILE= # your AWS profile name e.g. Keboola-Dev-Platform-Services-AWSAdministratorAccess cat <<EOF > ./provisioning/local/terraform.tfvars name_prefix = "${NAME_PREFIX}" EOF terraform -chdir=./provisioning/local init -backend-config="key=object-encryptor/${NAME_PREFIX}.tfstate" terraform -chdir=./provisioning/local apply ./provisioning/local/update-env.sh aws # or azure or gcp docker compose run --rm tests
License
MIT licensed, see LICENSE file.