PHP 8.5.0 Alpha 4 available for testing

    Voting

    : min(zero, eight)?
    (Example: nine)

    The Note You're Voting On

    jedisct1 at php dot net
    7 years ago
    ## Encrypt a single message using a secret key

    Encryption:

    ```php
    $secret_key = sodium_crypto_secretbox_keygen();
    $message = 'Sensitive information';

    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $encrypted_message = sodium_crypto_secretbox($message, $nonce, $secret_key);
    ```

    Decryption:

    ```php
    $decrypted_message = sodium_crypto_secretbox_open($encrypted_message, $nonce, $secret_key);
    ```

    How it works:

    `$secret_key` is a secret key. Not a password. It's binary data, not
    something designed to be human readable, but rather to have a key
    space as large as possible for a given length.
    The `keygen()` function creates such a key. That has to remain secret,
    as it is used both to encrypt and decrypt data.

    `$nonce` is a unique value. Like the secret, its length is fixed. But
    it doesn't have to be secret, and can be sent along with the encrypted
    message. The nonce doesn't have to be unpredicable either. It just has
    to be unique for a given key. With the `secretbox()` API, using
    `random_bytes()` is a totally fine way to generate nonces.

    Encrypted messages are slightly larger than unencrypted messages,
    because they include an authenticator, used by the decryption function
    to check that the content was not altered.

    ## Encrypt a single message using a secret key, and hide its length

    Encryption:

    ```php
    $secret_key = sodium_crypto_secretbox_keygen();
    $message = 'Sensitive information';
    $block_size = 16;

    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $padded_message = sodium_pad($padded_message, $block_size);
    $encrypted_message = sodium_crypto_secretbox($padded_message, $nonce, $secret_key);
    ```

    Decryption:

    ```php
    $decrypted_padded_message = sodium_crypto_secretbox_open($encrypted_message, $nonce, $secret_key);
    $decrypted_message = sodium_unpad($decrypted_padded_message, $block_size);
    ```

    How it works:

    Sometimes, the length of a message may provide a lot of information
    about its nature. If a message is one of "yes", "no" and "maybe",
    encrypting the message doesn't help: knowing the length is enough to
    know what the message is.

    Padding is a technique to mitigate this, by making the length a
    multiple of a given block size.

    Messages must be padded prior to encryption, and unpadded after
    decryption.

    << Back to user notes page

    To Top