PHPackages horde/secret - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. horde/secret ActiveLibrary[Security](/categories/security) horde/secret ============ Secret key encryption library with authenticated encryption v3.0.0alpha7(2mo ago)14.5k—4.5%53LGPL-2.1-onlyPHPPHP ^8.1 Since Jun 24Pushed 2mo ago5 watchersCompare [ Source](https://github.com/horde/Secret)[ Packagist](https://packagist.org/packages/horde/secret)[ Docs](https://www.horde.org/libraries/Horde_Secret)[ RSS](/packages/horde-secret/feed)WikiDiscussions FRAMEWORK\_6\_0 Synced 1mo ago READMEChangelog (1)Dependencies (5)Versions (13)Used By (3) Horde\_Secret ============= [](#horde_secret) Modern secret encryption library with authenticated encryption support. [![Build Status](https://github.com/horde/Secret/workflows/CI/badge.svg)](https://github.com/horde/Secret/actions) Overview -------- [](#overview) Horde\_Secret provides a dual-stack API for encrypting and decrypting small pieces of data: - **PSR-4 Modern API** (`Horde\Secret\SecretManager`) - Authenticated encryption with Libsodium/AES-GCM - **PSR-0 Legacy API** (`Horde_Secret`) - Backward-compatible Blowfish encryption Installation ------------ [](#installation) ``` composer require horde/secret ``` Quick Start ----------- [](#quick-start) ### Modern API (Recommended for new projects) [](#modern-api-recommended-for-new-projects) ``` use Horde\Secret\SecretManager; // Automatic cipher selection (prefers Sodium) $secret = SecretManager::create($key); // Encrypt $encrypted = $secret->encrypt('sensitive data'); // Decrypt $decrypted = $secret->decrypt($encrypted); ``` ### Legacy API (Backward compatible) [](#legacy-api-backward-compatible) ``` $secret = new Horde_Secret(); // Encrypt $encrypted = $secret->write($key, 'sensitive data'); // Decrypt $decrypted = $secret->read($key, $encrypted); ``` Features -------- [](#features) ### Modern API (PSR-4) [](#modern-api-psr-4) ✅ **Authenticated Encryption (AEAD)** - Prevents tampering and forgery attacks - Automatic integrity verification ✅ **Multiple Cipher Support** - **Libsodium XSalsa20-Poly1305** (primary, version 0x02) - **AES-256-GCM** (fallback, version 0x03) - **Blowfish ECB** (legacy compatibility, version 0x01) ✅ **Type Safety** - PHP 8.1+ strict types - Immutable value objects - Full type declarations ✅ **Automatic Legacy Detection** - Decrypts old PSR-0 data seamlessly - Migration helpers included ### Legacy API (PSR-0) [](#legacy-api-psr-0) - 100% backward compatible with Horde\_Secret 2.x - No breaking changes - Drop-in upgrade - Cookie/session key management Usage Examples -------------- [](#usage-examples) ### Cipher Selection [](#cipher-selection) ``` use Horde\Secret\SecretManager; // Automatic selection (recommended) $secret = SecretManager::create($key); // Explicit cipher selection $sodium = SecretManager::withSodium($key); // XSalsa20-Poly1305 $aes = SecretManager::withAesGcm($key); // AES-256-GCM $blowfish = SecretManager::withBlowfish($key); // Legacy only // Check current cipher echo $secret->getCipherName(); // "XSalsa20-Poly1305" echo $secret->getCipherVersion(); // 0x02 ``` ### Working with Encrypted Data [](#working-with-encrypted-data) ``` use Horde\Secret\SecretManager; $secret = SecretManager::create($key); // Encrypt returns an EncryptedData object $encrypted = $secret->encrypt('my secret'); // Get Base64-encoded string for storage $storedValue = $encrypted->toBase64(); // Decrypt from string or object $decrypted = $secret->decrypt($storedValue); ``` ### Migration from Legacy Format [](#migration-from-legacy-format) ``` use Horde\Secret\SecretManager; $secret = SecretManager::create($key); // Decrypt legacy PSR-0 data (automatic detection) $decrypted = $secret->decrypt($oldCiphertext); // Check if needs re-encryption if ($secret->needsReEncryption($oldCiphertext)) { // Upgrade to modern format $newCiphertext = $secret->encrypt($decrypted); // Update database $db->update('table', [ 'encrypted_field' => $newCiphertext->toString() ], ['id' => $recordId]); } ``` ### Lazy Migration Pattern [](#lazy-migration-pattern) ``` use Horde\Secret\SecretManager; function getData($key, $ciphertext, $db, $recordId) { $secret = SecretManager::create($key); // Decrypt (works with any format) $data = $secret->decrypt($ciphertext); // Opportunistically upgrade if ($secret->needsReEncryption($ciphertext)) { $newCiphertext = $secret->encrypt($data); $db->update('table', ['field' => $newCiphertext->toString()], ['id' => $recordId]); } return $data; } ``` ### Error Handling [](#error-handling) ``` use Horde\Secret\SecretManager; use Horde\Secret\Exception\DecryptionException; use Horde\Secret\Exception\InvalidKeyException; use Horde\Secret\Exception\UnsupportedCipherException; try { $secret = SecretManager::create($key); $decrypted = $secret->decrypt($ciphertext); } catch (DecryptionException $e) { // Wrong key or corrupted/tampered data error_log("Decryption failed: " . $e->getMessage()); } catch (InvalidKeyException $e) { // Invalid key provided error_log("Invalid key: " . $e->getMessage()); } catch (UnsupportedCipherException $e) { // Required cipher not available error_log("Cipher not supported: " . $e->getMessage()); } ``` ### Checking Cipher Availability [](#checking-cipher-availability) ``` use Horde\Secret\Cipher\SodiumCipher; use Horde\Secret\Cipher\AesGcmCipher; use Horde\Secret\Cipher\BlowfishCipher; if (SodiumCipher::isSupported()) { echo "Sodium available (recommended)\n"; } if (AesGcmCipher::isSupported()) { echo "AES-GCM available\n"; } if (BlowfishCipher::isSupported()) { echo "Blowfish available (legacy)\n"; } ``` System Requirements ------------------- [](#system-requirements) ### Modern API (PSR-4) [](#modern-api-psr-4-1) - PHP ^8.1 - One of: - `ext-sodium` (recommended, bundled with PHP 7.2+) - `ext-openssl` with AES-GCM support ### Legacy API (PSR-0) [](#legacy-api-psr-0-1) - PHP ^8.1 - `horde/crypt_blowfish` ^2 Migration Guide --------------- [](#migration-guide) See [UPGRADING.md](UPGRADING.md) for detailed migration instructions. ### Quick Migration Summary [](#quick-migration-summary) 1. **No immediate action required** - PSR-0 API remains fully functional 2. **For new code** - Use PSR-4 `SecretManager::create()` 3. **When ready** - Migrate existing data using lazy or batch migration patterns 4. **PSR-4 can decrypt PSR-0 data** - Seamless compatibility Security Considerations ----------------------- [](#security-considerations) ### PSR-0 (Blowfish ECB) [](#psr-0-blowfish-ecb) - ❌ No authentication (vulnerable to tampering) - ❌ ECB mode (pattern leakage) - ❌ 56-byte key limit - ⚠️ Use only for backward compatibility ### PSR-4 (Sodium/AES-GCM) [](#psr-4-sodiumaes-gcm) - ✅ Authenticated encryption (AEAD) - ✅ Modern stream ciphers - ✅ 256-bit keys - ✅ Unique nonces per message - ✅ Constant-time operations (Sodium) **Recommendation:** Use PSR-4 for all new and sensitive data. Data Format ----------- [](#data-format) ### PSR-4 Format [](#psr-4-format) ``` [Magic: 'H']['S'][Version: 1 byte][Payload: variable] ``` - **Magic header**: `HS` (0x48 0x53) for format identification - **Version byte**: - `0x01` - Blowfish ECB (legacy) - `0x02` - Sodium XSalsa20-Poly1305 - `0x03` - AES-256-GCM - **Payload**: Cipher-specific encrypted data ### PSR-0 Format (Legacy) [](#psr-0-format-legacy) ``` [Payload: variable] ``` - No header, raw Blowfish ciphertext - Detected by absence of magic header Testing ------- [](#testing) ``` # Run all tests vendor/bin/phpunit # Run PSR-0 tests only vendor/bin/phpunit test/Unit/SecretTest.php # Run PSR-4 tests only vendor/bin/phpunit --testsuite psr4 # Run integration tests vendor/bin/phpunit test/Unit/Psr0Psr4IntegrationTest.php ``` Contributing ------------ [](#contributing) Contributions are welcome! Please: 1. Follow PER-1 coding style 2. Add tests for new features 3. Use Conventional Commits format 4. Ensure all tests pass on PHP 8.1+ ``` # Check coding style vendor/bin/phpcs # Run tests vendor/bin/phpunit ``` Changelog --------- [](#changelog) See [doc/changelog.yml](doc/changelog.yml) for version history. License ------- [](#license) LGPL-2.1-only - see [LICENSE](LICENSE) for details. Links ----- [](#links) - **Homepage**: [https://www.horde.org/libraries/Horde\_Secret](https://www.horde.org/libraries/Horde_Secret) - **Documentation**: [https://www.horde.org/libraries/Horde\_Secret](https://www.horde.org/libraries/Horde_Secret) - **GitHub**: - **Issues**: - **Packagist**: Support ------- [](#support) - **Mailing List**: - **GitHub Issues**: Credits ------- [](#credits) - **Authors**: Chuck Hagenbuch, Michael Slusarz - **Copyright**: 1999-2026 Horde LLC - **License**: LGPL-2.1-only ### Health Score 53 — FairBetter than 97% of packages Maintenance86 Actively maintained with recent releases Popularity28 Limited adoption so far Community27 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 63.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~534 days Recently: every ~459 days Total 9 Last Release 73d ago Major Versions 2.0.6 → 3.0.0alpha12021-02-24 PHP version history (5 changes)2.0.3PHP >=5.3.0,<=6.0.0alpha1 2.0.6PHP >=5.3.0,<=8.0.0alpha1 3.0.0alpha1PHP ^7 v3.0.0alpha4PHP ^7.4 || ^8 v3.0.0alpha7PHP ^8.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/c943a083635c28520599075eaea7ede2d743b7697b76e84d6bdc37e52cc8249b?d=identicon)[yunosh](/maintainers/yunosh) ![](https://www.gravatar.com/avatar/c931cd02664859360478593450d6c473a05bb12b209dfacfc534cd13257cc7ef?d=identicon)[ralflang](/maintainers/ralflang) ![](https://www.gravatar.com/avatar/e4f6c6771993db2ed500959b42353f6cf6a2ca0406d9617f7ae680f4504faa4a?d=identicon)[horde](/maintainers/horde) ![](https://www.gravatar.com/avatar/a7767adb66b45f2f05bcd44d49bc4e67efacd9ce05b161ce2d481d5dd6af025c?d=identicon)[mrubinsk](/maintainers/mrubinsk) --- Top Contributors [![yunosh](https://avatars.githubusercontent.com/u/379318?v=4)](https://github.com/yunosh "yunosh (111 commits)")[![slusarz](https://avatars.githubusercontent.com/u/381003?v=4)](https://github.com/slusarz "slusarz (36 commits)")[![ralflang](https://avatars.githubusercontent.com/u/646976?v=4)](https://github.com/ralflang "ralflang (17 commits)")[![wrobel](https://avatars.githubusercontent.com/u/10232?v=4)](https://github.com/wrobel "wrobel (6 commits)")[![mrubinsk](https://avatars.githubusercontent.com/u/66822?v=4)](https://github.com/mrubinsk "mrubinsk (5 commits)")[![thomasjfox](https://avatars.githubusercontent.com/u/1146758?v=4)](https://github.com/thomasjfox "thomasjfox (1 commits)") ### Embed Badge ![Health badge](/badges/horde-secret/health.svg) ``` [![Health](https://phpackages.com/badges/horde-secret/health.svg)](https://phpackages.com/packages/horde-secret) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)