承接 andybeak/envelope_encryption 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

andybeak/envelope_encryption

Composer 安装命令:

composer require andybeak/envelope_encryption

包简介

This package makes it more convenient to perform envelope encryption.

README 文档

README

Build Status Maintainability Test Coverage

This package makes it more convenient to perform envelope encryption.

This pattern of encryption involves using a secure key store to hold a master key. Each time that you encrypt a piece of data you generate a new random key to use. This key is encrypted with the master key and stored alongside your data.

Using this pattern means that you do not ever need to deploy your master key to a server. The master key remains in the secure key storage.

Note that this is an anti-pattern for high-velocity data encryption. Each time that you encrypt something you will be making an HTTPS call to your key provider, which obviously adds network I/O to your response time.

An alternative pattern is to use the same single data key for all of your records. You can decrypt this key and store it in your configuration object to avoid having to make repeated calls to KMS.

Usage

Create an object using KMS as a backing service

Create an instance of the object using the factory. It accepts an enum of the type of provider and the settings to use in constructing the provider.

use \AndyBeak\EnvelopeEncryption\EnvelopeEncryptionFactory; 
use \AndyBeak\EnvelopeEncryption\Enum\KeyStoresEnum;

$settings = [
    'keyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
    'region' => 'eu-west-2',
    'keySpec' => 'AES_256'
];   
$envelopeEncryption = EnvelopeEncryptionFactory::create(new KeystoresEnum(KeystoresEnum::AWS), $settings);

Only the keyId is mandatory and the other values will default to the ones shown if omitted.

Encrypting and decrypting

Once you have an EnvelopeEncryption object you can call the encrypt method as follows:

$envelopeEncrypted = $envelopeEncryption->encrypt('Hello World');    

This returns an associative array in this format:

return [
    'ciphertext' => 'The encrypted string'
    'nonce' => 'A nonce that you must supply when decrypting',
    'encryptedDataKey' => 'The encrypted copy of the key that was used to encrypt the data'
]; 

You need to store all three pieces of data!

To decrypt you call decrypt and supply the information that was returned from encrypt:

$plaintext = $envelopeEncryption->decrypt(
    $envelopeEncrypted['ciphertext'],
    $envelopeEncrypted['nonce'],
    $envelopeEncrypted['encryptedDataKey']
);
var_dump($plaintext);
// string(11) "Hello World"

Full example

<?php

require 'vendor/autoload.php';

use \AndyBeak\EnvelopeEncryption\EnvelopeEncryptionFactory;
use \AndyBeak\EnvelopeEncryption\Enum\KeyStoresEnum;

$settings = [
    'keyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
    'region' => 'eu-west-2',
    'keySpec' => 'AES_256'
];

$envelopeEncryption = EnvelopeEncryptionFactory::create(new KeystoresEnum(KeystoresEnum::AWS), $settings);

$envelopeEncrypted = $envelopeEncryption->encrypt('Hello World');

$plaintext = $envelopeEncryption->decrypt(
    $envelopeEncrypted['ciphertext'],
    $envelopeEncrypted['nonce'],
    $envelopeEncrypted['encryptedDataKey']
);

var_dump($plaintext);
// string(11) "Hello World"

Backing service

Currently this package only supports AWS KMS, but other services like Hashicorp Vault should be easy to set up by adding a new implementation of KeystoreProviderInterface

KMS

You'll need a key set up in AWS KMS.

The SDK should detect the credentials from one of the following:

More information is available on the AWS PHP SDK documentation page.

andybeak/envelope_encryption 适用场景与选型建议

andybeak/envelope_encryption 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 3 次下载、GitHub Stars 达 1, 最近一次更新时间为 2019 年 08 月 05 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 andybeak/envelope_encryption 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 andybeak/envelope_encryption 我们能提供哪些服务?
定制开发 / 二次开发

基于 andybeak/envelope_encryption 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 3
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1
  • 点击次数: 12
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 1
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2019-08-05