philiprehberger/php-crypt

Secure-by-default encryption with AES-256-GCM and key rotation

Maintainers

Package info

github.com/philiprehberger/php-crypt

pkg:composer/philiprehberger/php-crypt

Statistics

Installs: 1

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.3 2026-03-17 20:06 UTC

Requires

Requires (Dev)

MIT 8deccea4a392f7bc3719ca9568af8342cc67d528

  • Philip Rehberger <me.woop@philiprehberger.com>

securityencryptioncryptoopensslaes-256-gcmkey-rotation

This package is auto-updated.

Last update: 2026-03-17 20:07:16 UTC

README

Tests Latest Version on Packagist License

Secure-by-default encryption with AES-256-GCM and key rotation. Zero external dependencies — uses PHP's built-in OpenSSL extension.

Requirements

Dependency Version
PHP ^8.2
ext-openssl *

Installation

composer require philiprehberger/php-crypt

Usage

Basic Encryption

use PhilipRehberger\Crypt\Crypt;

$key = Crypt::generateKey();

$encrypted = Crypt::encrypt('sensitive data', $key);
$decrypted = Crypt::decrypt($encrypted, $key);

Additional Authenticated Data (AAD)

Bind ciphertext to a context so it cannot be used elsewhere:

$encrypted = Crypt::encrypt('data', $key, aad: 'user:42');
$decrypted = Crypt::decrypt($encrypted, $key, aad: 'user:42');

Key Rotation

Re-encrypt data when rotating keys:

$rotated = Crypt::rotate($encrypted, $oldKey, $newKey);

Array Encryption

Encrypt and decrypt arrays (serialized as JSON):

$encrypted = Crypt::encryptArray(['name' => 'Alice', 'role' => 'admin'], $key);
$data = Crypt::decryptArray($encrypted, $key);

KeyChain (Multi-Key Management)

Manage key rotation transparently — encrypts with the current key, decrypts with any known key:

use PhilipRehberger\Crypt\KeyChain;

$chain = new KeyChain($newKey, $oldKey1, $oldKey2);

$encrypted = $chain->encrypt('data');
$decrypted = $chain->decrypt($encryptedWithAnyKey);

// Re-encrypt all ciphertexts with the current key
$rotated = $chain->rotateAll($ciphertexts);

API

Crypt (Static)

Method Description
generateKey(): string Generate a random base64-encoded 32-byte key
encrypt(string $data, string $key, ?string $aad = null): string Encrypt data with AES-256-GCM
decrypt(string $encrypted, string $key, ?string $aad = null): string Decrypt AES-256-GCM ciphertext
rotate(string $encrypted, string $oldKey, string $newKey): string Re-encrypt data with a new key
encryptArray(array $data, string $key): string Encrypt an array as JSON
decryptArray(string $encrypted, string $key): array Decrypt a JSON-encoded array

KeyChain

Method Description
__construct(string $currentKey, string ...$previousKeys) Create a key chain
encrypt(string $data): string Encrypt with the current key
decrypt(string $encrypted): string Decrypt with any key in the chain
rotateAll(array $ciphertexts): array Re-encrypt all ciphertexts with the current key

Exceptions

Exception When
InvalidKeyException Key is not a valid base64-encoded 32-byte string
DecryptionException Decryption fails (wrong key, tampered data, invalid ciphertext)

Development

composer install
vendor/bin/phpunit
vendor/bin/pint --test
vendor/bin/phpstan analyse

License

MIT