[edit] Last updated: Fri, 10 Feb 2012

openssl_encrypt

(PHP 5 >= 5.3.0)

openssl_encrypt — データを暗号化

説明

string openssl_encrypt ( string $data , string $method , string $password [, bool $raw_output = false [, string $iv = "" ]] )

与えられた文字列を与えられたメソッドとキーで暗号化して、未加工の、または base64 エンコードされた文字列を返します。

警告

この関数は、現在のところ詳細な情報はありません。引数のリストのみが記述されています。

パラメータ

data: データ
method: 暗号メソッド
password: パスワード
raw_output: TRUE に設定すると未加工の出力データとして返します。そうでなければ base64 エンコードされた値を返します。
iv: NULL ではない初期化ベクター。

返り値

成功した場合暗号化された文字列、失敗した場合に FALSE を返します。

エラー / 例外

method パラメータを通じて未知の暗号アルゴリズムが渡された場合、 E_WARNING レベルのエラーを発生します。

iv パラメータを通じて空値が渡された場合、 E_WARNING レベルのエラーを発生します。

変更履歴

バージョン	説明
5.3.3	`iv` パラメータが追加されました。

参考

openssl_decrypt() - データを復号

openssl_error_string

openssl_digest

[edit] Last updated: Fri, 10 Feb 2012

add a note User Contributed Notes openssl_encrypt

biohazard dot ge at gmail dot com 15-Jun-2011 06:48


Many users give up with handilng problem when openssl command line tool cant decrypt php openssl encrypted file which is encrypted with openssl_encrypt function.



For example how beginner is encrypting data:



<?php



$string = 'It works ? Or not it works ?';

$pass = '1234';

$method = 'aes128';



file_put_contents ('./file.encrypted', openssl_encrypt ($string, $method, $pass));



?>



And then how beginner is trying to decrypt data from command line:



# openssl enc -aes-128-cbc -d -in file.encrypted -pass pass:123



Or even if he/she determinates that openssl_encrypt output was base64 and tries:



# openssl enc -aes-128-cbc -d -in file.encrypted -base64 -pass pass:123



Or even if he determinates that base64 encoded file is represented in one line and tries:



# openssl enc -aes-128-cbc -d -in file.encrypted -base64 -A -pass pass:123



Or even if he determinates that IV is needed and adds some string iv as encryption function`s fourth parameter and than adds hex representation of iv as parameter in openssl command line :



# openssl enc -aes-128-cbc -d -in file.encrypted -base64 -pass pass:123 -iv -iv 31323334353637383132333435363738



Or even if he determinates that aes-128 password must be 128 bits there fore 16 bytes and sets $pass = '1234567812345678' and tries:



# openssl enc -aes-128-cbc -d -in file.encrypted -base64 -pass pass:1234567812345678 -iv -iv 31323334353637383132333435363738



All these troubles will have no result in any case.



BECAUSE THE PASSWORD PARAMETER DOCUMENTED HERE IS NOT THE PASSWORD.



It means that the password parameter of the function is not the same string used as [-pass pass:] parameter with openssl cmd tool for file encryption decryption.



IT IS THE KEY !



And now how to correctly encrypt data with php openssl_encrypt and how to correctly decrypt it from openssl command line tool.



<?php



    function strtohex($x) 

    {

        $s='';

        foreach (str_split($x) as $c) $s.=sprintf("%02X",ord($c));

        return($s);

    } 

    

    $source = 'It works !';



    $iv = "1234567812345678";

    $pass = '1234567812345678';

    $method = 'aes-128-cbc';



    echo "\niv in hex to use: ".strtohex ($iv);

    echo "\nkey in hex to use: ".strtohex ($pass);

    echo "\n";



    file_put_contents ('./file.encrypted',openssl_encrypt ($source, $method, $pass, true, $iv));



    $exec = "openssl enc -".$method." -d -in file.encrypted -nosalt -nopad -K ".strtohex($pass)." -iv ".strtohex($iv);



    echo 'executing: '.$exec."\n\n";

    echo exec ($exec);

    echo "\n";



?>



IV and Key parameteres passed to openssl command line must be in hex representation of string.



The correct command for decrypting is:



# openssl enc -aes-128-cbc -d -in file.encrypted -nosalt -nopad -K 31323334353637383132333435363738 -iv 31323334353637383132333435363738



As it has no salt has no padding and by setting functions third parameter we have no more base64 encoded file to decode. The command will echo that it works...



: /

public at grik dot net 01-Aug-2010 05:25


In 5.3.3 they added a new parameter, string $iv (initialization vector)

Real parameters are:

string openssl_encrypt ( string $data , string $method , string $password, bool $raw_output = false, string $iv )



If $iv is missing, a warning is issued: "Using an empty Initialization Vector (iv) is potentially insecure and not recommended".



If $iv is too short, another warning: 

"IV passed is only 3 bytes long, cipher expects an IV of precisely 8 bytes, padding with \0"



same IV should be used in openssl_decrypt()

public at grik dot net 25-Dec-2009 09:54


The list of methods for this function can be obtained with openssl_get_cipher_methods();

The password can be encrypted with the openssl_private/public_encrypt()

add a note