Using external secret keys
chriskapp opened this issue · 3 comments
Hi, we would like to use this package to encrypt data at our database but we face a problem. So currently our software is installed via docker and every image contains a PROJECT_KEY env variable which should be used as secret key to encrypt the data at the database. A problem which we face is that this library only works with secret keys which are also generated by the library i.e. via generate-defuse-key. If a user wants to install our software via docker the user has not the option to access this CLI tool, so the user has no option to generate a fitting secret key. So basically my question would be whether it is possible to use also an external secret key which was not produced by the library or is there any other workaround for such an use case which I currently not see?
Same here. How can I just do a super simple string encryption, like this? Maybe this library is overkill and I need to use something else.
$string = 'Stuff';
$my_key = 'some_key_here';
$encrypted_string = Crypto::encrypt($string, $key);This is done to prevent the user accidentally passing weak or badly-formatted insecure keys. I strongly recommend using this library itself to generate the key, encoding it to a string using $key->saveToAsciiSafeString() then loading it back into a Key object using Key::loadFromAsciiSafeString($encoded_key).
If you must encrypt something with an arbitrary string, then use the password-based encryption (which requires creating a KeyProtectedByPassword, to store a key that's encrypted by the password, and then the KeyProtectedByPassword can be unlocked to obtain a Key, given the correct password). An example can be found in Scenario 2 of the tutorial (except instead of the user's password, it's the string "key" that you have).
I'm not exactly using this for something mission-critical, so I opted to create this tiny class instead. I would use the php-encrypted library for more important apps.
class Encryption
{
public function createKey() {
$ln = 64;
$strong = true;
$bytes = openssl_random_pseudo_bytes($ln, $strong);
$key = bin2hex($bytes);
return $key;
}
public function encryptString($data, $key) {
$method = 'AES-256-CTR';
$ivlen = openssl_cipher_iv_length($cipher='AES-256-CTR');
$iv = openssl_random_pseudo_bytes($ivlen);
$encrypted = openssl_encrypt($data, 'AES-256-CTR', $key, $options=OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $encrypted, $key, $as_binary=true);
$ciphertext = base64_encode($iv.$hmac.$encrypted);
return $ciphertext;
}
public function decryptString($data, $key) {
$c = base64_decode($data);
$ivlen = openssl_cipher_iv_length($cipher='AES-256-CTR');
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$original_plaintext = openssl_decrypt($ciphertext_raw, 'AES-256-CTR', $key, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
if (hash_equals($hmac, $calcmac)) {
return $original_plaintext;
}
}
public function randomPassword($ln=30) {
if ( $ln < 30 ) {
$ln = 30;
}
$symbols = '!@#$%^&*_-,.';
$symbol_len = strlen($symbols);
$key_ln = $ln / 2;
$strong = true;
$bytes = openssl_random_pseudo_bytes($key_ln, $strong);
$key = bin2hex($bytes);
$key = str_shuffle($key);
$password = str_shuffle(substr($key, 0, $ln-$symbol_len).$symbols);
return $password;
}
}