A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here.

Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own.

composer require "mmeyer2k/dcrypt:^13.2"

The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk.

Specification document

Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!

Generate a new key on the linux CLI:

head -c 32 /dev/urandom | base64 -w 0 | xargs echo

Or with PHP...

<?php
$key = \Dcrypt\OpensslKey::create(32);

Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string.

<?php
$key = '[...BASE64 KEY...]';

$encrypted = \Dcrypt\Aes::encrypt('a secret', $key);

$plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);

If in doubt, use this example and don't read any further!

If you read to this point then you are an experienced cryptonaut, congrats! 👌 🤘

Several AES-256 encryption modes are supported out of the box via hardcoded classes.

Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP. Run openssl_get_cipher_methods() and hash_algos() to view supported options on your platform.

Use any cipher/algo combination by calling the OpensslStatic class.

<?php
$encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32');

$plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');

Dcrypt's internal functions are easily extendable by overloading the OpensslBridge class.

<?php
class BlowfishCrc32 extends \Dcrypt\OpensslBridge 
{
    const CIPHER = 'bf-ofb';

    const ALGO = 'crc32';
}

$encrypted = BlowfishCrc32::encrypt('a secret', $key);

$plaintext = BlowfishCrc32::decrypt($encrypted, $key);

Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them.

<?php
$stack = (new \Dcrypt\OpensslStack($key))
    ->add('aes-256-ecb', 'snefru')
    ->add('aes-256-ofb', 'sha224')
    ->add('aes-256-cbc', 'sha256')
    ->add('aes-256-ctr', 'sha384')
    ->add('aes-256-gcm', 'sha512');

$encrypted = $stack->encrypt('a secret');

$plaintext = $stack->decrypt($encrypted);

By default, \Dcrypt\Exceptions\InvalidChecksumException exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid.

<?php
try {
    $decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key);
} catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) {
    // ...
}

Be sure you understand the risks and inherent issues of using a stream cipher before proceeding.

• Each key should only be used once
• Data integrity can not be guaranteed
• https://en.wikipedia.org/wiki/Stream_cipher_attacks
• https://jameshfisher.com/2018/01/01/making-a-stream-cipher/

A novel counter-based stream cipher. OneTimePad uses SHA3-512 to output a keystream that is ⊕'d with the input in 512 bit chunks.

Specification document

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key);

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);

OneTimePad can use any hashing algorithm to generate the pseudorandom keystream.

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool');

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');

Generate random base62 string tokens with specified number of characters.

$token = \Dcrypt\Str::token(10);

Compare 2 strings in a time-safe manner.

$equal = \Dcrypt\Str::equal($known, $given);

Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating.

Or please consider checking out my dcrypt inspired encryption library for .NET, check out harpocrates.