A petite library of encryption functionality for PHP

13.2.0 2022-04-14 04:51 UTC


StyleCI Build Status Code Coverage Scrutinizer Code Quality Code Climate GPA License Latest Stable Version

A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here. If you need a dcrypt inspired encryption library for .NET, check out harpocrates.


Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own.

composer require "mmeyer2k/dcrypt:^13.2"

Block Ciphers

The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk.

Specification document


Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!

Generate a new key on the linux CLI:

head -c 32 /dev/urandom | base64 -w 0 | xargs echo

Or with PHP...

$key = \Dcrypt\OpensslKey::create(32);

AES-256 GCM Encryption

Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string.

$key = \Dcrypt\OpensslKey::create(32);

$encrypted = \Dcrypt\Aes::encrypt('a secret', $key);

$plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);

If in doubt, use this example and don't read any further!

Other AES-256 Modes

If you read to this point then you are an experienced cryptonaut, congrats! 👌 🤘

Several AES-256 encryption modes are supported out of the box via hardcoded classes.

Class Name OpenSSL Cipher Security Rating Further Reading
Aes256Gcm or Aes aes-256-gcm 😃 wiki
Aes256Ctr aes-256-ctr ☺️ wiki
Aes256Cbc aes-256-cbc 😑 wiki
Aes256Ofb aes-256-ofb 😬 wiki
Aes256Cfb aes-256-cfb 😯 wiki
Aes256Ccm aes-256-ccm 😲 wiki
Aes256Ecb aes-256-ecb 😡 wiki

Custom Encryption Suites

Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP. Run openssl_get_cipher_methods() and hash_algos() to view supported options on your platform.

Static Wrapper

Use any cipher/algo combination by calling the OpensslStatic class.

$encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32');

$plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');

Class Overloading

Dcrypt's internal functions are easily extendable by overloading the OpensslBridge class.

class BlowfishCrc32 extends \Dcrypt\OpensslBridge 
    const CIPHER = 'bf-ofb';

    const ALGO = 'crc32';

$encrypted = BlowfishCrc32::encrypt('a secret', $key);

$plaintext = BlowfishCrc32::decrypt($encrypted, $key);

Layered Encryption Factory

Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them.

$stack = (new \Dcrypt\OpensslStack($key))
    ->add('aes-256-ecb', 'snefru')
    ->add('aes-256-ofb', 'sha224')
    ->add('aes-256-cbc', 'sha256')
    ->add('aes-256-ctr', 'sha384')
    ->add('aes-256-gcm', 'sha512');

$encrypted = $stack->encrypt('a secret');

$plaintext = $stack->decrypt($encrypted);

Message Authenticity Checking

By default, \Dcrypt\Exceptions\InvalidChecksumException exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid.

try {
    $decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key);
} catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) {
    // ...

Stream Ciphers

Be sure you understand the risks and inherent issues of using a stream cipher before proceeding.

One Time Pad

A novel counter-based stream cipher. OneTimePad uses SHA3-512 to output a keystream that is ⊕'d with the input in 512 bit chunks.

Specification document

$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key);

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);

OneTimePad can use any hashing algorithm to generate the pseudorandom keystream.

$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool');

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');

String Helpers

Generate random base62 string tokens with specified number of characters.

$token = \Dcrypt\Str::token(10);

Compare 2 strings in a time-safe manner.

$equal = \Dcrypt\Str::equal($known, $given);

Show me some love 😍🍺

Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating.

LTC: LN97LrLCNiv14V6fntp247H2pj9UiFzUQZ BTC: 3N7vhA6ghWb1VrP4nGA6m6mzA9T2ASCVEj ETH: 0xe14a56046f28fCEF56A0EA4a84973bDdFF546923