Encryption and signing



Mako comes with a set of classes to help you encrypt and sign your data.

Make sure to NEVER use the example secret and keys provided with the framework in production. ALWAYS create your own!

You can easily generate your own secure secret and keys using the app.generate_secret and app.generate_key reactor commands.


Encryption

Basics

The encryption library allows you to encrypt data using OpenSSL.

First we'll need to get an encrypter instance. This is done using the CryptoManager::instance method.

// Returns instance of the "default" crypto configuration defined in the config file

$encrypter = $this->crypto->instance();

// Returns instance of the "openssl" crypto configuration defined in the config file

$encrypter = $this->crypto->instance('openssl');

The encrypt method is used to encrypt your data.

$encrypted = $encrypter->encrypt('Hello, world!');

The decrypt method is used to decrypt your data. It throws a CryptoException if it's unable to decrypt your data.

$decrypted = $encrypter->decrypt('Hello, world!');

Note that data will automatically be signed with the application secret when encrypted and validated when decrypting when using the Crypto class.

Magic shortcut

You can access the default crypto configuration directly without having to go through the instance method thanks to the magic __call method.

$encrypted = $this->crypto->encrypt('Hello, world!');

Re-encrypting data

Sometimes you'll have to re-encrypt data. This could be because you have generated a new application secret or encryption key. Luckily, this can easily be achieved in a few simple lines of code.

// Decrypt data using the old key and secret

$crypto = new Crypto(new OpenSSL(Key::decode($oldKey)), new Signer(Key::decode($oldSecret)));

$decrypted = $crypto->decrypt($encrypted);

// Encrypt the data using the new key and secret

$crypto = new Crypto(new OpenSSL(Key::decode($newKey)), new Signer(Key::decode($newSecret)));

$encrypted = $crypto->encrypt($decrypted);

Note that we're using the Key::decode() method since we're assuming that your application secret and encryption key were generated by the app.generate_secret and app.generate_key reactor commands.


Signing

Signing strings allows you to verify both the data integrity and the authentication of your data. A HMAC (hash-based message authentication code) will be prepended to your string upon signing and stripped when validated.

You can easily sign strings with the application secret using the default signer instance.

$signed = $this->signer->sign('Hello, world!');

If you want to sign strings with a different secret then you can do so by creating a new Signer instance.

$signer = new Signer('secret_used_to_sign_data');

Make sure to use a cryptographically strong secret and to keep it away from prying eyes.

The sign method returns a signed version of the provided string.

$signed = $signer->sign('Hello, world!');

The validate method will check if your string is valid. It returns the original string if it is and false if not.

$string = $signer->validate($signed);