PHPackages                             maatify/crypto - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. maatify/crypto

ActiveLibrary[Security](/categories/security)

maatify/crypto
==============

High-level cryptographic primitives and security utilities for Maatify systems including password hashing, reversible encryption, HKDF key derivation, and key rotation.

v1.0.0(3mo ago)12.7k↓14%[1 PRs](https://github.com/Maatify/crypto/pulls)2MITPHPPHP ^8.2CI passing

Since Mar 11Pushed 3mo agoCompare

[ Source](https://github.com/Maatify/crypto)[ Packagist](https://packagist.org/packages/maatify/crypto)[ RSS](/packages/maatify-crypto/feed)WikiDiscussions main Synced 3w ago

READMEChangelog (1)Dependencies (5)Versions (3)Used By (2)

Maatify Crypto
==============

[](#maatify-crypto)

[![Latest Version](https://camo.githubusercontent.com/c6ed7797cff9452021ac59d126441a35c28b2db4363b92601644eef3e2a2ea76/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d6161746966792f63727970746f2e7376673f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/maatify/crypto)[![PHP Version](https://camo.githubusercontent.com/7581013d7d3fea74537b265e1fc082ee7f51d4ffd0ec1ab7bff31772b5c94795/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6d6161746966792f63727970746f2e7376673f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/maatify/crypto)[![License](https://camo.githubusercontent.com/51b21b24faaf66e85257e50d05c84428d9f618731469a8be65138c8730569c3e/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f4d6161746966792f63727970746f3f7374796c653d666f722d7468652d6261646765)](LICENSE)

[![PHPStan](https://camo.githubusercontent.com/f85016b73718ab38275b913dafed1c1ce7f287c3c2ec319445bc29011149f408/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d4c6576656c2532304d61782d344538434145)](https://camo.githubusercontent.com/f85016b73718ab38275b913dafed1c1ce7f287c3c2ec319445bc29011149f408/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d4c6576656c2532304d61782d344538434145)

[![Changelog](https://camo.githubusercontent.com/32f7664d004132f7e0fb111b5e01bd7270705d1e7247db502287d51910c04cb9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4368616e67656c6f672d566965772d626c7565)](CHANGELOG.md)[![Security](https://camo.githubusercontent.com/a150750c8b2c6ca6209aa80bdf220d2f0950b984df64c1b859a46ee9152570f3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53656375726974792d506f6c6963792d696d706f7274616e74)](SECURITY.md)

[![Monthly Downloads](https://camo.githubusercontent.com/fea3912194b2ac2fb4eacc4d5c71aaf2fcbfa49585767d46668574b3bd8eae38/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f6d6161746966792f63727970746f3f6c6162656c3d4d6f6e74686c79253230446f776e6c6f61647326636f6c6f723d303041384538)](https://camo.githubusercontent.com/fea3912194b2ac2fb4eacc4d5c71aaf2fcbfa49585767d46668574b3bd8eae38/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f6d6161746966792f63727970746f3f6c6162656c3d4d6f6e74686c79253230446f776e6c6f61647326636f6c6f723d303041384538)[![Total Downloads](https://camo.githubusercontent.com/4335914db2cd2832a7965a8211aae42130f4149eb1038df5a9a3f6ff13ec9c2f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d6161746966792f63727970746f3f6c6162656c3d546f74616c253230446f776e6c6f61647326636f6c6f723d324141394530)](https://camo.githubusercontent.com/4335914db2cd2832a7965a8211aae42130f4149eb1038df5a9a3f6ff13ec9c2f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d6161746966792f63727970746f3f6c6162656c3d546f74616c253230446f776e6c6f61647326636f6c6f723d324141394530)

[![Security Audit](https://camo.githubusercontent.com/650c06cde26d22082c63c466d6f7397a3fc5b0aba20c97e9a929da0255c5f6c6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53656375726974792d417564697465642d677265656e3f7374796c653d666f722d7468652d6261646765)](SECURITY_AUDIT.md)

[![Security First](https://camo.githubusercontent.com/2e8741f775f76a336e5d263c6a8b51fff13bf408014429b5ce12f319baa4e4d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53656375726974792d43727970746f6772617068792d6461726b7265643f7374796c653d666f722d7468652d6261646765)](https://camo.githubusercontent.com/2e8741f775f76a336e5d263c6a8b51fff13bf408014429b5ce12f319baa4e4d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53656375726974792d43727970746f6772617068792d6461726b7265643f7374796c653d666f722d7468652d6261646765)[![Maatify Ecosystem](https://camo.githubusercontent.com/0bfd6db80f9a39f03dac1923cc79f27a507f2fdf59b3a853dc0af26be1343315/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6161746966792d45636f73797374656d2d626c756576696f6c65743f7374796c653d666f722d7468652d6261646765)](https://camo.githubusercontent.com/0bfd6db80f9a39f03dac1923cc79f27a507f2fdf59b3a853dc0af26be1343315/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6161746966792d45636f73797374656d2d626c756576696f6c65743f7374796c653d666f722d7468652d6261646765)

[![Install](https://camo.githubusercontent.com/2eac40f99482a9257c5ca42abf54d9973edf8095a034d04637efeb4a92f2d13a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f496e7374616c6c2d636f6d706f736572253230726571756972652d626c75653f7374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/maatify/crypto)

---

Installation
============

[](#installation)

```
composer require maatify/crypto
```

---

Quick Example
=============

[](#quick-example)

```
use Maatify\Crypto\DX\CryptoProvider;
use Maatify\Crypto\Reversible\DTO\ReversibleCryptoMetadataDTO;

$crypto = $container->get(CryptoProvider::class);

$service = $crypto->context("user:email:v1");

$encrypted = $service->encrypt("hello world");

$metadata = new ReversibleCryptoMetadataDTO(
    $encrypted['result']->iv,
    $encrypted['result']->tag
);

$plain = $service->decrypt(
    $encrypted['result']->cipher,
    $encrypted['key_id'],
    $encrypted['algorithm'],
    $metadata
);
```

---

Documentation
=============

[](#documentation)

For full documentation and detailed usage guides, see the official documentation book:

➡️ **[Documentation Book](docs/book/index.md)**

The documentation includes:

- Architecture overview
- Key rotation lifecycle
- Context-based encryption
- Password hashing pipeline
- Security design guarantees
- Integration examples

---

1. Overview
===========

[](#1-overview)

This library is a **Security-First cryptographic system** providing a set of strict, isolated, and frozen cryptographic primitives. It is designed to be extracted as a standalone library, independent of any specific application framework.

The system enforces a **strict separation of concerns** between key lifecycle management, key derivation, reversible encryption, and password hashing. It prioritizes **safety, deterministic behavior, and fail-closed security** over developer convenience.

All cryptographic primitives within this library are **frozen**, meaning their core logic, algorithms, and security boundaries are immutable. Any significant change to these primitives requires a formal architectural review.

---

Cryptographic Design
====================

[](#cryptographic-design)

The library follows modern cryptographic best practices:

- AES-256-GCM authenticated encryption
- HKDF domain separation (RFC 5869)
- Argon2id password hashing
- Secure randomness via `random_bytes()`
- Strict key rotation lifecycle (Active / Inactive / Retired)
- Fail-closed cryptographic operations

---

2. Library Breakdown
====================

[](#2-library-breakdown)

The cryptographic system is composed of five distinct, decoupled components:

---

1. Password Component (`Password/`)
-----------------------------------

[](#1-password-component-password)

**Purpose:** Secure, irreversible password hashing and verification.

**What it DOES**

Implements a strict pipeline of:

```
HMAC-SHA256 (Pepper) → Argon2id

```

Handles:

- hashing
- verification
- rehash checks

**What it DOES NOT do**

- manage storage of hashes
- retrieve pepper secrets

**Security Boundary**

Operates in total isolation from encryption keys and relies on:

```
PasswordPepperProviderInterface

```

---

2. KeyRotation Module (`KeyRotation/`)
--------------------------------------

[](#2-keyrotation-module-keyrotation)

**Purpose:** Management of cryptographic key lifecycles and rotation policies.

**What it DOES**

Enforces strict invariants:

```
exactly one ACTIVE key at any time

```

Manages key states:

- ACTIVE
- INACTIVE
- RETIRED

This allows seamless key rotation without downtime.

**What it DOES NOT do**

- perform encryption or decryption
- load keys from storage

**Security Boundary**

Acts as the sole authority on **which key may encrypt new data**.

---

3. HKDF Module (`HKDF/`)
------------------------

[](#3-hkdf-module-hkdf)

**Purpose:** Key Derivation Function implementing **RFC 5869**.

**What it DOES**

Derives independent keys from a root key using **explicit contexts**.

Example contexts:

```
notification:email:v1
auth:session:v1
payment:token:v1

```

**What it DOES NOT do**

- generate root secrets
- perform encryption

**Security Boundary**

Ensures compromise of one domain **cannot affect another**.

---

4. Reversible Module (`Reversible/`)
------------------------------------

[](#4-reversible-module-reversible)

**Purpose:** Symmetric encryption and decryption.

Algorithm:

```
AES-256-GCM

```

**What it DOES**

- encrypt data
- decrypt data

**What it DOES NOT do**

- manage keys
- derive keys

**Security Boundary**

Fail-closed behavior:

- invalid tag → exception
- corrupted ciphertext → exception
- unsupported algorithm → exception

Weak algorithms like **ECB are explicitly forbidden**.

---

5. DX Module (`DX/`)
--------------------

[](#5-dx-module-dx)

**Purpose:** Developer Experience orchestration layer.

Provides the `CryptoProvider` facade.

Example:

```
$crypto->context("user:email:v1");
```

**What it DOES**

Connects primitives into usable pipelines.

**What it DOES NOT do**

Contains **no cryptographic logic**.

All security guarantees exist in the lower layers.

---

3. Architectural Flow
=====================

[](#3-architectural-flow)

The library supports three secure pipelines.

---

A. Password Hashing Pipeline
----------------------------

[](#a-password-hashing-pipeline)

Used for authentication.

```
Input Password
   ↓
HMAC-SHA256 (Pepper)
   ↓
Argon2id (Salted)
   ↓
Password Hash

```

---

B. Context-Based Encryption Pipeline (Recommended)
--------------------------------------------------

[](#b-context-based-encryption-pipeline-recommended)

Used for sensitive application data.

```
Root Keys (KeyRotation)
       ↓
HKDF (Context)
       ↓
Derived Keys
       ↓
AES-256-GCM Encryption

```

---

C. Direct Encryption Pipeline (Advanced)
----------------------------------------

[](#c-direct-encryption-pipeline-advanced)

Used only for internal system secrets.

```
Root Keys (KeyRotation)
       ↓
AES-256-GCM

```

---

Key Hierarchy
=============

[](#key-hierarchy)

**Root Keys**

Managed by KeyRotation.

Never used directly for domain data in the standard pipeline.

**Derived Keys**

Generated via HKDF.

Used for actual encryption.

**Password Secrets**

Pepper is **fully isolated** from encryption keys.

---

4. Design Principles
====================

[](#4-design-principles)

**Fail-Closed Behavior**

All modules throw exceptions on failure.

No silent failures. No fallback algorithms.

---

**Explicit Versioning**

Contexts must be versioned.

Example:

```
auth:token:v1

```

---

**Domain Separation**

Different data domains must use different contexts.

---

**Key Rotation Safety**

Old keys remain valid for decryption while new data always uses the active key.

---

**No Implicit Defaults**

Algorithms, keys, and contexts must always be explicit.

---

**No Hidden State**

Modules are stateless.

They do not cache secrets or persist runtime state.

---

5. What This Library Is NOT
===========================

[](#5-what-this-library-is-not)

**Not a Framework**

No dependency on Laravel, Symfony, etc.

---

**Not a Key Management System**

Does not store keys.

Keys must be injected by the host application.

---

**Not a Secrets Loader**

Does not read `.env`.

Secret management belongs to the host application.

---

**Not a Generic Crypto DSL**

The library intentionally exposes **specific approved primitives** only:

- AES-256-GCM
- Argon2id
- HKDF

No driver abstraction.

---

6. Stability & Extraction Readiness
=======================================

[](#6-stability--extraction-readiness)

This library is **production-ready**.

It was designed from the start to be **extractable as a standalone package**.

---

**Frozen Components**

- Password
- KeyRotation
- HKDF
- Reversible

Their security contracts are locked.

---

**Optional Components**

DX layer is optional.

Consumers may wire primitives manually.

---

Stability
=========

[](#stability)

This library is production-ready and follows **Semantic Versioning**.

###  Health Score

43

—

FairBetter than 90% of packages

Maintenance80

Actively maintained with recent releases

Popularity23

Limited adoption so far

Community11

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

103d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/1a885a0810f2762586520ab284c9019aaf0b650b53cdf2a6c13ea10931bb7795?d=identicon)[Maatify](/maintainers/Maatify)

---

Top Contributors

[![megyptm](https://avatars.githubusercontent.com/u/33574895?v=4)](https://github.com/megyptm "megyptm (6 commits)")

---

Tags

argon2cryptographyencryptionhkdfkey-rotationmaatify-devmaatify-ecosystempassword-hashingphpsecurityencryptioncryptopasswordargon2key-rotationhkdfmaatify

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/maatify-crypto/health.svg)

```
[![Health](https://phpackages.com/badges/maatify-crypto/health.svg)](https://phpackages.com/packages/maatify-crypto)
```

###  Alternatives

[phpseclib/phpseclib

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

5.6k455.2M1.5k](/packages/phpseclib-phpseclib)[defuse/php-encryption

Secure PHP Encryption Library

3.9k170.7M239](/packages/defuse-php-encryption)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)