Final Class Yiisoft\Security\Crypt
| Inheritance | Yiisoft\Security\Crypt |
|---|
Public Methods
| Method | Description | Defined By |
|---|---|---|
| __construct() | Yiisoft\Security\Crypt | |
| decryptByKey() | Verifies and decrypts data encrypted with encryptByKey(). | Yiisoft\Security\Crypt |
| decryptByPassword() | Verifies and decrypts data encrypted with encryptByPassword(). | Yiisoft\Security\Crypt |
| encryptByKey() | Encrypts data using a cryptographic key. | Yiisoft\Security\Crypt |
| encryptByPassword() | Encrypts data using a password. | Yiisoft\Security\Crypt |
| withAuthorizationKeyInfo() | Yiisoft\Security\Crypt | |
| withDerivationIterations() | Yiisoft\Security\Crypt | |
| withKdfAlgorithm() | Yiisoft\Security\Crypt |
Constants
| Constant | Value | Description | Defined By |
|---|---|---|---|
| ALLOWED_CIPHERS | [ 'AES-128-CBC' => [ 16, 16, ], 'AES-192-CBC' => [ 16, 24, ], 'AES-256-CBC' => [ 16, 32, ], ] | Yiisoft\Security\Crypt |
Method Details
| public __construct( string $cipher = 'AES-128-CBC' ): mixed | ||
| $cipher | string |
The cipher to use for encryption and decryption. |
public function __construct(
private readonly string $cipher = 'AES-128-CBC'
) {
if (!extension_loaded('openssl')) {
throw new \RuntimeException('Encryption requires the OpenSSL PHP extension.');
}
if (!array_key_exists($cipher, self::ALLOWED_CIPHERS)) {
throw new \RuntimeException($cipher . ' is not an allowed cipher.');
}
}
Verifies and decrypts data encrypted with encryptByKey().
See also encryptByKey().
| public decryptByKey( string $data, string $inputKey, string $info = '' ): string | ||
| $data | string |
The encrypted data to decrypt. |
| $inputKey | string |
The input to use for encryption and authentication. |
| $info | string |
Context/application specific information, e.g. a user ID See RFC 5869 Section 3.2 for more details. |
| return | string |
The decrypted data. |
|---|---|---|
| throws | RuntimeException |
On OpenSSL not loaded. |
| throws | Exception |
On OpenSSL errors. |
| throws | Yiisoft\Security\AuthenticationException |
On authentication failure. |
public function decryptByKey(
string $data,
#[SensitiveParameter]
string $inputKey,
string $info = ''
): string {
return $this->decrypt($data, false, $inputKey, $info);
}
Verifies and decrypts data encrypted with encryptByPassword().
See also encryptByPassword().
| public decryptByPassword( string $data, string $password ): string | ||
| $data | string |
The encrypted data to decrypt. |
| $password | string |
The password to use for decryption. |
| return | string |
The decrypted data. |
|---|---|---|
| throws | RuntimeException |
On OpenSSL not loaded. |
| throws | Exception |
On OpenSSL errors. |
| throws | Yiisoft\Security\AuthenticationException |
On authentication failure. |
public function decryptByPassword(
string $data,
#[SensitiveParameter]
string $password
): string {
return $this->decrypt($data, true, $password, '');
}
Encrypts data using a cryptographic key.
Derives keys for encryption and authentication from the input key using HKDF and a random salt, which is very fast relative to encryptByPassword(). The input key must be properly random — use random_bytes() to generate keys. The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data.
See also:
| public encryptByKey( string $data, string $inputKey, string $info = '' ): string | ||
| $data | string |
The data to encrypt. |
| $inputKey | string |
The input to use for encryption and authentication. |
| $info | string |
Context/application specific information, e.g. a user ID See RFC 5869 Section 3.2 for more details. |
| return | string |
The encrypted data as byte string. |
|---|---|---|
| throws | RuntimeException |
On OpenSSL not loaded. |
| throws | Exception |
On OpenSSL error. |
public function encryptByKey(
string $data,
#[SensitiveParameter]
string $inputKey,
string $info = ''
): string {
return $this->encrypt($data, false, $inputKey, $info);
}
Encrypts data using a password.
Derives keys for encryption and authentication from the password using PBKDF2 and a random salt, which is deliberately slow to protect against dictionary attacks. Use encryptByKey() to encrypt fast using a cryptographic key rather than a password. Key derivation time is determined by $derivationIterations}, which should be set as high as possible.
The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data.
Note: Avoid encrypting with passwords wherever possible. Nothing can protect against poor-quality or compromised passwords.
See also:
| public encryptByPassword( string $data, string $password ): string | ||
| $data | string |
The data to encrypt. |
| $password | string |
The password to use for encryption. |
| return | string |
The encrypted data as byte string. |
|---|---|---|
| throws | RuntimeException |
On OpenSSL not loaded. |
| throws | Exception |
On OpenSSL error. |
public function encryptByPassword(
string $data,
#[SensitiveParameter]
string $password
): string {
return $this->encrypt($data, true, $password, '');
}
| public withAuthorizationKeyInfo( string $info ): self | ||
| $info | string |
HKDF info value for derivation of message authentication key. |
public function withAuthorizationKeyInfo(string $info): self
{
$new = clone $this;
$new->authorizationKeyInfo = $info;
return $new;
}
| public withDerivationIterations( integer $iterations ): self | ||
| $iterations | integer |
Derivation iterations count. Set as high as possible to hinder dictionary password attacks. |
public function withDerivationIterations(int $iterations): self
{
$new = clone $this;
$new->derivationIterations = $iterations;
return $new;
}
| public withKdfAlgorithm( string $algorithm ): self | ||
| $algorithm | string |
Hash algorithm for key derivation. Recommend sha256, sha384 or sha512. |
public function withKdfAlgorithm(string $algorithm): self
{
$new = clone $this;
$new->kdfAlgorithm = $algorithm;
return $new;
}
Signup or Login in order to comment.