PHPackages andybeak/envelope\_encryption - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. andybeak/envelope\_encryption ActiveLibrary andybeak/envelope\_encryption ============================= This package makes it more convenient to perform envelope encryption. v1.0.0(6y ago)131MITPHPPHP ^7.2.18CI passing Since Aug 5Pushed 1y ago1 watchersCompare [ Source](https://github.com/andybeak/envelope-encryption)[ Packagist](https://packagist.org/packages/andybeak/envelope_encryption)[ RSS](/packages/andybeak-envelope-encryption/feed)WikiDiscussions master Synced today READMEChangelog (1)Dependencies (2)Versions (2)Used By (0) Envelope encryption helper -------------------------- [](#envelope-encryption-helper) [![Build Status](https://camo.githubusercontent.com/c214123a1b2661ced767fd3a51d66baec3a424a11ecb96c7be7b499e2539fcb6/68747470733a2f2f7472617669732d63692e636f6d2f616e64796265616b2f656e76656c6f70652d656e6372797074696f6e2e7376673f6272616e63683d6d6173746572)](https://travis-ci.com/andybeak/envelope-encryption)[![Maintainability](https://camo.githubusercontent.com/86a5778a31f7ecfaa624d9dd032ee49a2436d6921a18bd9159300c3179f16ca6/68747470733a2f2f6170692e636f6465636c696d6174652e636f6d2f76312f6261646765732f30303139643138616665323235303436306336632f6d61696e7461696e6162696c697479)](https://codeclimate.com/github/andybeak/envelope-encryption/maintainability)[![Test Coverage](https://camo.githubusercontent.com/9252d129ae4a5dc5de32c147312ad940f7856634b5a9c263aca80d1911b4011b/68747470733a2f2f6170692e636f6465636c696d6174652e636f6d2f76312f6261646765732f30303139643138616665323235303436306336632f746573745f636f766572616765)](https://codeclimate.com/github/andybeak/envelope-encryption/test_coverage) This package makes it more convenient to perform envelope encryption. This pattern of encryption involves using a secure key store to hold a master key. Each time that you encrypt a piece of data you generate a new random key to use. This key is encrypted with the master key and stored alongside your data. Using this pattern means that you do not ever need to deploy your master key to a server. The master key remains in the secure key storage. Note that this is an anti-pattern for high-velocity data encryption. Each time that you encrypt something you will be making an HTTPS call to your key provider, which obviously adds network I/O to your response time. An alternative pattern is to use the same single data key for all of your records. You can decrypt this key and store it in your configuration object to avoid having to make repeated calls to KMS. Usage ----- [](#usage) ### Create an object using KMS as a backing service [](#create-an-object-using-kms-as-a-backing-service) Create an instance of the object using the factory. It accepts an enum of the type of provider and the settings to use in constructing the provider. ``` use \AndyBeak\EnvelopeEncryption\EnvelopeEncryptionFactory; use \AndyBeak\EnvelopeEncryption\Enum\KeyStoresEnum; $settings = [ 'keyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', 'region' => 'eu-west-2', 'keySpec' => 'AES_256' ]; $envelopeEncryption = EnvelopeEncryptionFactory::create(new KeystoresEnum(KeystoresEnum::AWS), $settings); ``` Only the `keyId` is mandatory and the other values will default to the ones shown if omitted. ### Encrypting and decrypting [](#encrypting-and-decrypting) Once you have an `EnvelopeEncryption` object you can call the `encrypt` method as follows: ``` $envelopeEncrypted = $envelopeEncryption->encrypt('Hello World'); ``` This returns an associative array in this format: ``` return [ 'ciphertext' => 'The encrypted string' 'nonce' => 'A nonce that you must supply when decrypting', 'encryptedDataKey' => 'The encrypted copy of the key that was used to encrypt the data' ]; ``` You need to store all three pieces of data! To decrypt you call `decrypt` and supply the information that was returned from `encrypt`: ``` $plaintext = $envelopeEncryption->decrypt( $envelopeEncrypted['ciphertext'], $envelopeEncrypted['nonce'], $envelopeEncrypted['encryptedDataKey'] ); var_dump($plaintext); // string(11) "Hello World" ``` ### Full example [](#full-example) ```