AES256 encryption/decryption script using CBC + hashmac

This extension is a usefull class that let you encrypt/decrypt string (or object serializable) using strong AES256 (Advanced Encryption Standard with a key of 256 bits) standard with CBC + hashMac (mash-based message authentification code).

It uses built-in PHP Mcrypt AES methods.


  • Yii 1.1 or above
  • PHP 5.3 or above
  • mcrypt lib activated server side.


To use AES into your project : - copy Aes256.php into a new folder in /protected/extensions/aes256/Aes256.php - add aes256 extension into your /config/main.php, in the component part. Sample :

            'class' => 'application.extensions.aes256.Aes256',
            'privatekey_32bits_hexadecimal'=> '0123456789012345678901234567890123456789012345678901234567890123', // be sure that this parameter uses EXACTLY 64 chars of hexa (a-f, 0-9)
  • if you want to encrypt/decrypt data, database side, include the method decrypt in your model in afterFind() and encrypt in beforeSave(). Sample :
protected function afterFind()
    // decrypt myEncrypted Field value that is encrypted database side
    $this->myEncryptedField = Yii::app()->aes256->decrypt($this->myEncryptedField);
    return parent::afterFind();
protected function beforeSave()
    $result = parent::beforeSave();     
    if(!$result) return false;
    // encrypt myEncrypted Field value
    $this->myEncryptedField = Yii::app()->aes256->encrypt($this->myEncryptedField);
    return $result;
  • Don't forget that search() model method won't work on encrypted data neither specific SQL queries dealing with encrypted fields. So don't forget that if you are using specific SQL query results (outside Yii ActiveRecord) you will have to encrypt/decrypt database field manually

  • Don't forget that encrypted string value could be long. Avoid short database row VARCHAR(256) for example (to avoid truncated encrypted value that won't be decryptable). Personnaly, i'm using TEXT type or VARCHAR(3000).


Sensitive data should be encrypted, and one of the most popular encryption specifications is the Advanced Encryption Standard (AES).

The AES specification, using the Rijndael algorithm, has been selected as the replacement for the 3DES algorithm that is implemented by Yii’s CSecurityManger.

We used CBC mode because it is more secured than ECB mode as it creates a different hash each time.

We also used hashMac (Hash-based message authentication code) to avoid several hacking exploits such as : padding oracle attach or bit flipping attach

Feel free to use last version in github

Total 5 comments

#19797 report it
Gledson Eduardo at 2016/03/08 10:51pm
dinamic privatekey_32bits_hexadecimal?


Great job!

It's possible use dinamic privatekey_32bits_hexadecimal? For example, based in username?


#16194 report it
Revelis Luc Bonnin at 2014/01/27 07:32am
reply to #16191

We can extend CSecurityManager but i prefered not to do it because if someone already use CSecurityManager he potentially could call hashData + encrypt method and my encrypt method already include hash. So to avoid mistake or double use of hash (for example) i chose to create a separated extension with only 2 easy methods encrypt/decrypt. No additional choice such ash hasmac or not, validation or not... and so on. Anyway, anyone could use the Aes256 extension to make their own CSecurityManager overriden class, and perhaps share it here.

#16191 report it
nineinchnick at 2014/01/27 06:32am
reply to #16190

Can't CSecurityManager be extended to override the mode used and change it to CBC? If anybody alerady uses it it would be easier to switch.

#16190 report it
Revelis Luc Bonnin at 2014/01/27 06:09am
reply to #161189

Hi nineinchnick. Thanks for the comment, i will modify the extension description to be more relevant (about php built-in). About CSecurityManager it doesn't use the AES256 CBC mode but ECB mode which is less secured than CBC.

#16189 report it
nineinchnick at 2014/01/27 05:52am

When it comes to encryption, you should be more specific and precise. The description should include that you use the AES that is built-in PHP and not your own implementation. Also, you use the phrase To implement AES for your project and I don't think anybody really wants to implement AES, only use it.

BTW why not extending CSecurityManager to provide a similar interface?

Leave a comment

Please to leave your comment.

Create extension