PHPackages shawm11/iron-crypto - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. shawm11/iron-crypto ActiveLibrary[Security](/categories/security) shawm11/iron-crypto =================== PHP implementation of the iron cryptographic utility 1.0.9(1y ago)32.7k1[1 PRs](https://github.com/shawm11/iron-crypto-php/pulls)1MITPHPPHP >=5.5.0CI failing Since Jun 8Pushed 1y ago1 watchersCompare [ Source](https://github.com/shawm11/iron-crypto-php)[ Packagist](https://packagist.org/packages/shawm11/iron-crypto)[ RSS](/packages/shawm11-iron-crypto/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (8)Versions (11)Used By (1) Iron Crypto PHP =============== [](#iron-crypto-php) [![Version Number](https://camo.githubusercontent.com/eef3718613caf79f6824e551fa00659721ccf1bb05b4d4e41ea37d5802276973/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736861776d31312f69726f6e2d63727970746f2e737667)](https://camo.githubusercontent.com/eef3718613caf79f6824e551fa00659721ccf1bb05b4d4e41ea37d5802276973/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736861776d31312f69726f6e2d63727970746f2e737667)[![PHP Version](https://camo.githubusercontent.com/2b88ccca94b28e24e7cd5bc8b55e8e0a2db6eab53ae0d100c437eb3655ce673f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f736861776d31312f69726f6e2d63727970746f2e737667)](https://camo.githubusercontent.com/2b88ccca94b28e24e7cd5bc8b55e8e0a2db6eab53ae0d100c437eb3655ce673f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f736861776d31312f69726f6e2d63727970746f2e737667)[![License](https://camo.githubusercontent.com/d71d8b474dff3192fdd54e308501ef44959ef81fd25db1e0b39a666342c25ba5/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f736861776d31312f69726f6e2d63727970746f2d7068702e737667)](LICENSE.md) A PHP implementation of the 7.0.1 version of the [**iron**](https://github.com/hapijs/iron)cryptographic utility. Important *iron* is one of those rare projects that can be considered "complete". This means that changes to this repository be infrequent because only the development dependencies may need to be updated once every few years. If there is a bug or error in the documentation, please create an [issue](https://github.com/shawm11/iron-crypto-php/issues). The issue will receive a response or be resolved as soon as possible. Table of Contents ----------------- [](#table-of-contents) - [What is iron?](#what-is-iron) - [Getting Started](#getting-started) - [Prerequisites](#prerequisites) - [Installation](#installation) - [Usage](#usage) - [`Iron` vs `Iron2` Classes](#iron-vs-iron2-classes) - [Demonstration](#demonstration) - [Code Examples](#code-examples) - [API](#api) - [Security Considerations](#security-considerations) - [Related Projects](#related-projects) - [Contributing/Development](#contributingdevelopment) - [Versioning](#versioning) - [License](#license) What is iron? ------------- [](#what-is-iron) According to the [*iron* API](https://hapi.dev/module/iron/api/?v=7.0.1): > **iron** is a cryptographic utility for sealing a JSON object using symmetric key encryption with message integrity verification. Or in other words, it lets you encrypt an object, send it around (in cookies, authentication credentials, etc.), then receive it back and decrypt it. The algorithm ensures that the message was not tampered with, and also provides a simple mechanism for password rotation. *iron* can be considered as an alternative to JSON Web Tokens (JWT). Check out [this *iron* issue](https://github.com/hapijs/iron/issues/30) for a small discussion of the difference between *iron* and JWT. Tip *iron* is often spelled in all lowercase letters; however, the *i* is capitalized in the class names in this package. Getting Started --------------- [](#getting-started) ### Prerequisites [](#prerequisites) - Git 2.9+ - PHP 5.5.0+ - OpenSSL PHP Extension - JSON PHP Extension - [Composer](https://getcomposer.org/) ### Installation [](#installation) Download and install using [Composer](https://getcomposer.org/): ``` composer require shawm11/iron-crypto ``` Usage ----- [](#usage) ### `Iron` vs `Iron2` Classes [](#iron-vs-iron2-classes) Either the `Iron` or `Iron2` class can be used to seal or unseal iron strings. The `Iron2` class includes a fix for an [issue with PDKDF2](https://github.com/hapijs/iron/issues/55), so it is a bit more secure than the `Iron` class. However, the iron strings `Iron` and `Iron2` are not compatible with each other. The MAC format version in the sealed string created using `Iron2` is 2.1 instead of 2 to indicate the incompatibility. *iron* strings created using the `Iron` class can be unsealed by other *iron*implementations and it can unseal iron strings from other implementations. This is not true for the `Iron2` class. In summary, use the `Iron2` class (**RECOMMENDED**) if: - You need or want a bit more security - Compatibility with other iron implementations is not important and use the `Iron` class if: - Unsealing an *iron* string created by another implementation - The sealed *iron* string created will be unsealed by another implementation Demonstration ------------- [](#demonstration) Suppose we want to "seal" this array: ``` [ 'a' => 1, 'b' => 2, 'c' => [3, 4, 5], 'd' => ['e' => 'f'] ] ``` Using this password: `some_not_random_password_that_is_at_least_32_characters` Sealing with `Iron2::seal()` would give us: ``` Fe26.2.1**50a5bec38a21775318b487bda8eb5bac8ef0033fa14ab3d7d963643b648fb50a*dZ7cUbgFie4_EKYQ1H1RyA*mclk0QCWDb-irF7E5quIcRa52t4TXmo3Jq1BnJFgVv4dZq9fWnB0CUdRA8bKXIEX**da6bb68d955f9db04e9739a2a197ce9780de56f9be26ba24b7bf145c12851d53*0xYQdFBJxipufS03zBu6VZmIlHClv6CTlCc_To1rbIU ``` Notice how the output begins with `Fe26.2.1**`. On the other hand, sealing with `Iron::seal()` would give us: ``` Fe26.2**6589f8726e6b87f875bd9cbdea1985642d8d2e82168360586cf9cdb46b370fcc*-2XpTXRy5ZL0gJK6Qx9i4Q*hZa7pqt31QIR_ihVZ6qjUv_b0v5KLd1Enhq5q0IjbSfbvnUm_kRDahIC-nAoCsjJ**c74d1c46525da622ddc699c8dabf3902e1f1497bf54e086004fa560d85082e71*1qpfA_ZlR4r5Uo99Py1UU_l7v8lZYjtFI-4QVFYHA1g ``` Notice how this output begins with `Fe26.2**` instead of `Fe26.2.1**`. Now, suppose we want to seal that same array with one of the passwords in a collection. Doing this allows for increased security through password rotation. We will choose one of the passwords in our collection to seal the array above: ``` [ "some_not_random_password_that_is_at_least_32_characters1", "some_not_random_password_that_is_at_least_32_characters2", "some_not_random_password_that_is_at_least_32_characters3" // Chose this one to create output ] ``` This gives us: ``` Fe26.2.1*2*292e8975ab168c4aff5af0674ae7e49f11307a367e75aee7f5f71063d8132523*QkjFNS0jl7963ENLosY25g*uKNcL7JAlDPURnvMb0C_jHyELe0b84554QcYzeaYWiHI1x0Qwq3Njikf_z_iLYxX**18280c5865db88bd915570325c56f8b6897a3daf710d8a9c9330ead5f392ec4d*ogb2rO5-QiOQk28gfpa3p2PimRM5y015C892SQ_c3y8 ``` Notice how the output begins with `Fe26.2.1*2*` instead of `Fe26.2.1**`. That extra `2` is the password ID, which, in this case, is the index of our chosen password in the password collection. Code Examples ------------- [](#code-examples) - [Common usage](docs/usage-examples/Iron2Example.php) — Example of sealing and unsealing a PHP array object - [Password rotation](docs/usage-examples/PasswordRotationExample.php) — Example of using password rotation API --- [](#api) See the [API Reference](docs/api-reference.md) for details about the API. Security Considerations ----------------------- [](#security-considerations) See the [Security Considerations](https://hapi.dev/module/iron/api/?v=7.0.1#security-considerations)section of iron's API document. Related Projects ---------------- [](#related-projects) - [Oz PHP Implementation](https://github.com/shawm11/oz-auth-php) — Oz is a web authorization protocol that is an alternative to OAuth 1.0a and OAuth 2.0 three-legged authorization. Oz utilizes both Hawk and *iron*. - [Hawk PHP Implementation](https://github.com/shawm11/hawk-auth-php) — Hawk is an HTTP authentication scheme that is an alternative to OAuth 1.0a and OAuth 2.0 two-legged authentication. Contributing/Development ------------------------ [](#contributingdevelopment) Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on coding style, Git commit message guidelines, and other development information. Versioning ---------- [](#versioning) This project uses [SemVer](http://semver.org/) for versioning. For the versions available, see the tags on this repository. License ------- [](#license) This project is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT). ### Health Score 37 — LowBetter than 83% of packages Maintenance38 Infrequent updates — may be unmaintained Popularity23 Limited adoption so far Community10 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~261 days Recently: every ~537 days Total 10 Last Release 545d ago PHP version history (2 changes)1.0.0PHP >=5.6.0 1.0.5PHP >=5.5.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/c20594702330cf6f42e97455c41aca054dab32eee2c42a742a10b185b0a1d5ed?d=identicon)[shawm11](/maintainers/shawm11) --- Top Contributors [![shawm11](https://avatars.githubusercontent.com/u/11890980?v=4)](https://github.com/shawm11 "shawm11 (55 commits)") --- Tags cryptographyphp ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/shawm11-iron-crypto/health.svg) ``` [![Health](https://phpackages.com/badges/shawm11-iron-crypto/health.svg)](https://phpackages.com/packages/shawm11-iron-crypto) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)