Crypt: Database data encryption (AES, HEX support)
The crypt plugin provide transparent encoding of your data inside the database. As of now, we support the AES encoding which may optionaly be stored in hexadecimal form.
The default AES encoding is in 128 bits and use the ECB mode which is fully compliant with the Mysql methods. It means you can encryt/decrypt both in PHP or in Mysql while being compatible. In PHP, your data never transit in clear form on the wire, in Mysql, you can fully benefit of the SQL syntax to build complex queries. Porte only use the PHP mode so nodata is ever transfered in its unencrypted form.
Moreover, the crypt plugin allow you to store your data in hexadecimal form without them being encrupted.
Configuration
The plugin rely on two optional configuration keys added to your property model definition, the "aes" and "hex" keys.
- crypt
mixed (bool,int, string, array)
If provided as a boolean true or an integer castable to true, the method will be "AES", the mode "ECB" and the encryption key must be obtained from a higher configuration level.
If provided as a string, the value is interpreted as the encryption key.
If provided as an array, the following keys may be present:- key
string, optional
The encryption key. The key is optional but must be obtained in one way or another. - method
string, default to "AES" - mode
string, default to "ECB"
The encryption mode - hex
boolean, default to false
Store the data into an exadecimal form
- key
Defining default configurations
When a property is marked as crypted, it is required for AES to declare a encryption key. When it is not directly defined in the property configuration, the key (and other crypt keys) may be obtained from a higher configration level (porte and table levels).
Static global level default configuration
Porte::$crypt = array(
"key" => "my_key",
"method" => "AES"
"mode" => "ECB",
"hex" => true
);
$porte = new Porte(array(...));Porte instance level default configuration
$porte = new Porte(array(
"crypt" => array(
"key" => "my_key",
"method" => "AES"
"mode" => "ECB",
"hex" => true
)
...
));$porte = new Porte(array(...));
$porte->config->crypt = array(
"key" => "my_key",
"method" => "AES"
"mode" => "ECB",
"hex" => true
);Table level default configuration
$porte->models->set(array(
'type' => 'crypt_table',
'crypt' => array(
"key" => "my_key",
"method" => "AES"
"mode" => "ECB",
"hex" => true
)
);PHP and MySQL equivalent queries
The default encryption mechanism used is AES-128 (Rijndael-128) which is both available in MySQL and PHP. Here are some codes which are equivalent.
assert(
PortePluginsCrypt::decrypt(
$this->porte->query("SELECT `aes` FROM `Crypts`")->fetchColumn(),
array(
'method'=>'AES',
'mode'=>'ECB',
'key'=>'my_key'))
===
$this->porte->query(
"SELECT AES_DECRYPT(`aes`,'my_key') FROM `Crypts`")->fetchColumn()
);assert(
PortePluginsCrypt::decrypt(
$this->porte->query("SELECT `aes_hex` FROM `Crypts`")->fetchColumn(),
array(
'method'=>'AES',
'mode'=>'ECB',
'key'=>'my_key',
'hex'=>true))
===
$this->porte->query(
"SELECT AES_DECRYPT(UNHEX(`aes_hex`),'my_key') FROM `Crypts`")->fetchColumn()
);assert(
PortePluginsCrypt::decrypt(
$this->porte->query("SELECT `hex` FROM `Crypts`")->fetchColumn(),
array(
'hex'=>true))
===
$this->porte->query(
"SELECT UNHEX(`hex`) FROM `Crypts`")->fetchColumn()
);