PHPackages chrisvpearse/phpcrypter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. chrisvpearse/phpcrypter ActiveLibrary[Security](/categories/security) chrisvpearse/phpcrypter ======================= A PHP source code encrypter. v0.1.1(2y ago)711113[1 issues](https://github.com/chrisvpearse/phpcrypter/issues)MITPHPPHP ^8.2 Since Dec 20Pushed 2y ago3 watchersCompare [ Source](https://github.com/chrisvpearse/phpcrypter)[ Packagist](https://packagist.org/packages/chrisvpearse/phpcrypter)[ Docs](https://github.com/chrisvpearse/phpcrypter)[ RSS](/packages/chrisvpearse-phpcrypter/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (1)Versions (3)Used By (0) A PHP Source Code Encrypter =========================== [](#a-php-source-code-encrypter) The goal of this open source package is **security *through* obscurity**. It aims to offer an alternative to delivering your closed source projects in **plaintext**. Instead, you can opt to deliver them in **ciphertext** (encrypted), alongside a binary PHP extension which will decrypt them on the fly. This package uses symmetric encryption, therefore the AES-256 key (which is only known to you as the developer), can be unique per project and/or release. To avoid being detected by hex editors (e.g. [Hex Fiend](https://hexfiend.com/)) and the [strings](https://www.unix.com/man-page/osx/1/strings) command, the key is stored within the binary as an XOR cipher, split into 32 parts. Additionally, the XOR key is also split into 32 parts. All 64 key parts are then shuffled together along with 64 *random* key parts (128 parts in total) to ensure that the AES-256 and XOR key parts never appear in the same place twice. #### Why encryption, not obfuscation? [](#why-encryption-not-obfuscation) If you search for an obfuscation package, there is almost always a complimentary deobfuscation package available (written by someone else), which renders the original package obsolete (unfortunately). On the other hand, AES-256 encryption hasn't been broken (yet)! That being said, I would certainly consider obfuscation as a compliment to encryption. If your source code is obfuscated first (before encryption) and someone tries to reverse engineer your project by looking at the opcodes and stepping through it, it would be much more difficult to understand. Typically, obfuscation focuses on altering the execution flow of your source code, combined with the scrambling of the names of your classes, methods, functions, variables and string literals. Because obfuscation essentially rewrites your code, it inevitably comes with a few "gotchas" along the way. Encryption, on the other hand, keeps your code intact (exactly as you wrote it). Requirements ------------ [](#requirements) ### macOS/Linux [](#macoslinux) 1. PHP ^8.2 2. `phpize` ### Windows [](#windows) This package was built with support for Windows in mind, however, it has not been tested yet. Installation ------------ [](#installation) The below assumes that you're currently in your application's root directory. ``` $ composer require chrisvpearse/phpcrypter --dev ``` Usage ----- [](#usage) ### Generate a Key [](#generate-a-key) ``` $ ./vendor/bin/phpcrypter generate [--clean] [--] [] ``` The below command will generate a unique AES-256-CBC symmetric key named `foo`: ``` $ ./vendor/bin/phpcrypter generate foo ``` Additionally, a `.phpcrypter/foo` directory will be created in your application's root, containing a PHP extension skeleton. The symmetric key is the ❤️ of the skeleton 🦴 — they will both be used to later build a binary PHP extension of the same name (`foo.so`). A good rule of thumb is one key (and therefore one PHP extension) per project. The output of the above command will be similar to the following: ``` Success! Payload: pAYL0AD== ``` ❗ Please remember to add `/.phpcrypter` to your `.gitignore` file. ‼️ Additionally, it is important to save the payload in a password manager, such as [1Password](https://1password.com) or [pass](https://www.passwordstore.org). ### Build the PHP Extension [](#build-the-php-extension) #### macOS/Linux [](#macoslinux-1) ``` $ cd .phpcrypter/foo $ phpize $ ./configure $ make $ make install ``` The above commands will build a PHP extension named `foo.so` and copy it into your PHP extension directory. The directory can be found via the following command: ``` $ php -i | grep ^extension_dir ``` You should then add the following line to your `php.ini` configuration file: ``` extension=foo.so ``` The location of the loaded `php.ini` configuration file can be found via the following command: ``` $ php -i | grep "Loaded Configuration File" ``` Next, verify that the extension is *loaded*: ``` $ php -m | grep foo foo ``` ### Encrypt Directories and/or Files [](#encrypt-directories-andor-files) ``` $ ./vendor/bin/phpcrypter encrypt ... ``` The below encrypts multiple directories and files at once. You must specify the previously obtained `payload` as the first argument. ``` $ ./vendor/bin/phpcrypter encrypt "pAYL0AD==" \ "dir-1" \ "dir-2" \ "file-1.php" \ "file-2.php" ``` ❗ The contents of any PHP files found in the above paths will be overwritten. It is highly recommended that you create a new Git branch for these files: ``` $ git checkout -b encrypted ``` #### Decrypt [](#decrypt) If you're just experimenting, it's useful to be able to encrypt and decrypt at will. The below decrypts any directories and/or files previously encrypted with the `payload` argument: ``` $ ./vendor/bin/phpcrypter decrypt ... ``` ❗ Again, the contents of any PHP files found in the above paths will be overwritten. #### What does an encrypted file look like? [](#what-does-an-encrypted-file-look-like) ```