PHPackages fr3on/php-vault - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. fr3on/php-vault ActiveLibrary[Security](/categories/security) fr3on/php-vault =============== PHP 8.4+ envelope encryption library for structured data protection 0.0.1(1mo ago)0223↓100%MITPHPPHP >=8.4CI passing Since Apr 13Pushed 1mo agoCompare [ Source](https://github.com/fr3on/php-vault)[ Packagist](https://packagist.org/packages/fr3on/php-vault)[ RSS](/packages/fr3on-php-vault/feed)WikiDiscussions master Synced 1w ago READMEChangelogDependencies (3)Versions (2)Used By (0) php-vault ========= [](#php-vault) [![CI](https://github.com/fr3on/php-vault/actions/workflows/ci.yml/badge.svg)](https://github.com/fr3on/php-vault/actions/workflows/ci.yml)[![License](https://camo.githubusercontent.com/40bf287e9fe488bc95c7473cd9933fc84160a502e3c23c3832b4e6bfd276df26/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6672336f6e2f7068702d7661756c74)](https://github.com/fr3on/php-vault/blob/main/LICENSE) A modern, high-security PHP 8.4+ envelope encryption library using Libsodium. `php-vault` implements the **envelope encryption** pattern: every record is encrypted with a unique Data Encryption Key (DEK), which is then protected by a Master Key (KEK). This ensures that even if one record is compromised, the rest remain secure, and master keys can be rotated without re-encrypting entire datasets. Features -------- [](#features) - **Envelope Encryption**: Unique DEK per record. - **Libsodium Powered**: Uses `xchacha20poly1305_ietf` for data and `secretbox` for keys. - **Memory Safe**: Automatically wipes keys from memory (`sodium_memzero`) when objects are destroyed. - **Leak Proof**: Redacts sensitive information in debug dumps (`var_dump`, `print_r`). - **Field-Level Protection**: Easily encrypt specific fields in associative arrays. - **Key Rotation**: Re-encrypt DEKs with a new Master Key without touching the plaintext data. - **Zero Dependencies**: Pure PHP 8.4+ logic using native extensions. Installation ------------ [](#installation) ``` composer require fr3on/php-vault ``` Usage ----- [](#usage) ### Basic Seal/Open [](#basic-sealopen) ``` use Fr3on\Vault\Vault; use Fr3on\Vault\Kek\LocalKek; $kek = new LocalKek($masterKeyBytes); // 32 bytes $vault = new Vault($kek); $sealed = $vault->seal("Sensitive Transaction Data"); // "v1:AAE... (Base64URL encoded envelope)" $plaintext = $vault->open($sealed); ``` ### Field-Level Encryption [](#field-level-encryption) ``` use Fr3on\Vault\FieldVault; $fieldVault = new FieldVault($vault); $record = [ 'user_id' => 123, 'email' => 'user@example.com', // sensitive 'ssn' => '000-00-0000', // sensitive ]; $sealed = $fieldVault->sealFields(['email', 'ssn'], $record); // Only 'email' and 'ssn' are encrypted; 'user_id' remains plaintext. ``` ### Key Rotation [](#key-rotation) ``` use Fr3on\Vault\KeyRotator; $rotator = new KeyRotator(); $newKek = new LocalKek($newMasterKey); // Rotate the master key without decrypting the payload $newSealed = $rotator->rotate($oldSealed, $oldKek, $newKek); ``` Security Standards ------------------ [](#security-standards) - **PHP 8.4+** required for modern security features. - **Level 9 PHPStan** for total type safety. - **IND-CCA2 Secure**: Uses AEAD for all data payloads. - **Tamper Evident**: Throws exceptions if any bit of the envelope is modified. License ------- [](#license) MIT License. See [LICENSE](LICENSE) for details. ### Health Score 40 — FairBetter than 86% of packages Maintenance89 Actively maintained with recent releases Popularity14 Limited adoption so far Community6 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 57d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/33b7039ac3f70749d289e663583850e7af60936c540891d8fec624d5fc121504?d=identicon)[fr3onv](/maintainers/fr3onv) --- Top Contributors [![fr3on](https://avatars.githubusercontent.com/u/26393383?v=4)](https://github.com/fr3on "fr3on (2 commits)") --- Tags encryptionenvelope-encryptionphpsecuritysodiumvaultsecurityencryptionvaultsodiumphp84envelope-encryption ### Code Quality TestsPHPUnit Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/fr3on-php-vault/health.svg) ``` [![Health](https://phpackages.com/badges/fr3on-php-vault/health.svg)](https://phpackages.com/packages/fr3on-php-vault) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k455.2M1.4k](/packages/phpseclib-phpseclib)[defuse/php-encryption Secure PHP Encryption Library 3.9k170.7M239](/packages/defuse-php-encryption)[ass/xmlsecurity The XmlSecurity library is written in PHP for working with XML Encryption and Signatures 955.6M33](/packages/ass-xmlsecurity)[nzo/url-encryptor-bundle The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL 971.1M2](/packages/nzo-url-encryptor-bundle)[tilleuls/url-signer-bundle Create and validate signed URLs with a limited lifetime in Symfony 81357.6k](/packages/tilleuls-url-signer-bundle)[ercsctt/laravel-file-encryption Secure file encryption and decryption for Laravel applications 776.1k1](/packages/ercsctt-laravel-file-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)