Reference
Encrypting Files
Zend\Crypt\FileCipher
implements file encryption and decryption using a
symmetric cipher in
CBC
mode with the encrypt-then-authenticate approach, using
HMAC to provide authentication (the same
solution used by Zend\Crypt\BlockCipher
component).
Encrypting and decrypting a file is not an easy task, especially with large files. For instance, in CBC mode you must be sure to handle the IV correctly for each block. For large files, that means that you need to use a buffer and use the last block of the buffer as the new IV for the next encryption step.
FileCipher
uses a Zend\Crypt\Symmetric
cipher to encrypt and decrypt a file.
The default cipher is Zend\Crypt\Symmetric\Openssl
.
The usage of this component is very simple; create an instance of FileCipher
,
specify the key, and you are ready to encrypt/decrypt any file:
use Zend\Crypt\FileCipher;
$fileCipher = new FileCipher;
$fileCipher->setKey('encryption key');
// encryption
if ($fileCipher->encrypt('path/to/file_to_encrypt', 'path/to/output')) {
echo "The file has been encrypted successfully\n";
}
// decryption
if ($fileCipher->decrypt('path/to/file_to_decrypt', 'path/to/output')) {
echo "The file has been decrypted successfully\n";
}
By default, FileCipher
uses the AES
encryption algorithm (with a 256-bit key) and the SHA-256
hash algorithm to authenticate the data using the HMAC function. This component uses the
PBKDF2 key derivation algorithm to generate the encryption
key and the authentication key, for the HMAC, based on the key specified using the method
setKey()
.
If you want to change the encryption algorithm, you can use the setCipherAlgorithm()
function. For
instance, you could specify the Blowfish
encryption algorithm using setCipherAlgorithm('blowfish')
. You can retrieve the list of all
supported encryption algorithms in your environment using the function
getCipherSupportedAlgorithms()
.
If you need to customize the cipher algorithm — for instance, to change
the Padding mode — you can inject your Mcrypt
object in the FileCipher
using the setCipher()
method. The only parameter of the cipher that you cannot
change is the cipher mode, which is hard-coded to CBC.
Output Format
The output of the encryption file is in binary format. We used this format to reduce impact on output size. If you encrypt a file using the
FileCipher
component, you will notice that the output file size is almost the same as the input size, with a few additional bytes to store the HMAC and the IV vector. The format of the output is the concatenation of the HMAC, the IV, and the encrypted file contents.
Found a mistake or want to contribute to the documentation? Edit this page on GitHub!