This extension is used for two-way encryption. The cypher method used is AES256.
The main difference from original package is usage of unique initialization vector for each operation. The main purpose is to provide additional level of security by randomization of resulting hash. Also, as it seems from threads on stackoverflow, publicly stored IV is a very bad practice. However, it is needed to decrypt value. Implemented idea is described below.
Step-by-step encryption:
- Passphrase (32 bytes length) is being stored as ENV constant;
- Unique IV is randomly generated for each encryption operation by openssl_random_pseudo_bytes() and is presented as 16 bytes length string;
- Input is encrypted with openssl_encrypt(). Result is encrypted byte-string;
- IV (16 bytes) is prepended in front of byte-string from previous step;
- Concatenated string is encoded with base64_encode() to avoid encoding problems when transferring over a network or storing in a database.
- Result is a securely encrypted and encoded string.
Step-by-step decryption:
- Fully encrypted string is decoded with base64_decode();
- First 16 bytes is retrieved for further decryption process. This is IV;
- Remaining part of string is decrypted with openssl_decrypt() using IV from previous step and passphrase from ENV;
- Result is the initial string.
The preferred way to install this extension is through composer.
Either run
composer require bereznii/yii2-encrypter
or add
"bereznii/yii2-encrypter": "*"
to the require section of your composer.json
file.
To use Encrypter component it needs to be registered in Components list of Yii2 Application.
'components' => [
'encrypter' => [
'class' => \bereznii\encrypter\components\Encrypter::class,
'key' => getenv('ENCRYPTION_KEY'),
],
...
]
Encrypter can be used both from web and console.
To encrypt value manually in any part of the application encrypter can be used as follows:
Yii::$app->encrypter->encrypt('Hello World!');
or to decrypt:
Yii::$app->encrypter->decrypt('Hello World!');
The extension also comes with a behavior class that can be easily attached to any ActiveRecord Model.
Use the following syntax to attach the behavior.
public function behaviors()
{
return [
'encryption' => [
'class' => \bereznii\encrypter\behaviors\EncryptionBehavior::class,
'attributes' => [
'attributeName1',
'attributeName2',
],
],
];
}
The behavior will automatically encrypt all the data before saving it on the database and decrypt it after the retrieve.
Keep in mind that the behavior will use the current configuration of the extension for the encryption.
Original package was built with TDD. However, current package is not covered with unit-tests due to lack of time caused by russian invasion to Ukraine. Hopefully, one day unit tests will be added and package will become more customizable. But until then, it is published for educational purposes only.
It is extremely hard (or practically impossible) to decrypt the data without the password, copy of it should be store in secure place to avoid losing all encrypted data.
Two-way encryption should not be used to store passwords: you should use a one-way encryption function like sha1 and a SALT