openssl_encrypt
(PHP 5 >= 5.3.0, PHP 7, PHP 8)
openssl_encrypt — Encrypts data
Description
openssl_encrypt( string $data, string $cipher_algo, string $passphrase, int $options = 0, string $iv = "", string &$tag = null, string $aad = "", int $tag_length = 16 ): string|false
Encrypts given data with given method and key, returns a raw or base64 encoded string
Parameters
-
data
-
The plaintext message data to be encrypted.
-
cipher_algo
-
The cipher method. For a list of available cipher methods, use openssl_get_cipher_methods().
-
passphrase
-
The passphrase. If the passphrase is shorter than expected, it is silently padded with
NUL
characters; if the passphrase is longer than expected, it is silently truncated. -
options
-
options
is a bitwise disjunction of the flagsOPENSSL_RAW_DATA
andOPENSSL_ZERO_PADDING
. -
iv
-
A non-NULL Initialization Vector.
-
tag
-
The authentication tag passed by reference when using AEAD cipher mode (GCM or CCM).
-
aad
-
Additional authentication data.
-
tag_length
-
The length of the authentication
tag
. Its value can be between 4 and 16 for GCM mode.
Return Values
Returns the encrypted string on success or false
on failure.
Errors/Exceptions
Emits an E_WARNING
level error if an unknown cipher algorithm is passed in via the cipher_algo
parameter.
Emits an E_WARNING
level error if an empty value is passed in via the iv
parameter.
Changelog
Version | Description |
---|---|
7.1.0 | The tag , aad and tag_length parameters were added. |
Examples
Example #1 AES Authenticated Encryption in GCM mode example for PHP 7.1+
<?php //$key should have been previously generated in a cryptographically safe way, like openssl_random_pseudo_bytes $plaintext = "message to be encrypted"; $cipher = "aes-128-gcm"; if (in_array($cipher, openssl_get_cipher_methods())) { $ivlen = openssl_cipher_iv_length($cipher); $iv = openssl_random_pseudo_bytes($ivlen); $ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv, $tag); //store $cipher, $iv, and $tag for decryption later $original_plaintext = openssl_decrypt($ciphertext, $cipher, $key, $options=0, $iv, $tag); echo $original_plaintext."\n"; } ?>
Example #2 AES Authenticated Encryption example prior to PHP 7.1
<?php //$key previously generated safely, ie: openssl_random_pseudo_bytes $plaintext = "message to be encrypted"; $ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC"); $iv = openssl_random_pseudo_bytes($ivlen); $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv); $hmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true); $ciphertext = base64_encode( $iv.$hmac.$ciphertext_raw ); //decrypt later.... $c = base64_decode($ciphertext); $ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC"); $iv = substr($c, 0, $ivlen); $hmac = substr($c, $ivlen, $sha2len=32); $ciphertext_raw = substr($c, $ivlen+$sha2len); $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv); $calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true); if (hash_equals($hmac, $calcmac))// timing attack safe comparison { echo $original_plaintext."\n"; } ?>
See Also
- openssl_decrypt() - Decrypts data
© 1997–2021 The PHP Documentation Group
Licensed under the Creative Commons Attribution License v3.0 or later.
https://www.php.net/manual/en/function.openssl-encrypt.php