caeligo/field-encryption-bundle
Composer 安装命令:
composer require caeligo/field-encryption-bundle
包简介
A Symfony bundle for transparent Doctrine entity field encryption using AES-256-CBC
README 文档
README
A Symfony bundle for transparent Doctrine entity field encryption using AES-256-CBC for string fields and AES-256-GCM for binary files.
Features
- 🔐 Automatic encryption/decryption - Transparent for your application code
- 📝 String field encryption - AES-256-CBC with HMAC-SHA256 hash for searching
- 📁 Binary file encryption - AES-256-GCM for documents, images, etc.
- 🔑 HKDF key derivation - Cryptographic key separation for different purposes
- 🛡️ Timing-safe comparison - Protection against timing attacks on hash verification
- 🏷️ Attribute-based configuration - Simple
#[Encrypted]and#[EncryptedFile]attributes - 🔄 Key rotation support - Safely rotate keys with progress tracking
- 🗜️ Optional compression - Gzip compression for binary files
- 📋 Metadata storage - Store MIME type, filename, size alongside encrypted content
- 🛠️ Console commands - Key generation, rotation wizard, data migration
Requirements
- PHP 8.2+
- Symfony 6.4+ or 7.x
- Doctrine ORM 2.14+ or 3.x
Installation
composer require caeligo/field-encryption-bundle
Register the bundle in config/bundles.php:
return [ // ... Caeligo\FieldEncryptionBundle\FieldEncryptionBundle::class => ['all' => true], ];
Quick Start
1. Generate Encryption Key
php bin/console field-encryption:generate-key --append-to-env
2. Configure the Bundle
# config/packages/field_encryption.yaml field_encryption: encryption_key: '%env(FIELD_ENCRYPTION_KEY)%'
3. Add Attributes to Your Entity
use Caeligo\FieldEncryptionBundle\Attribute\Encrypted; use Caeligo\FieldEncryptionBundle\Attribute\EncryptedEntity; #[ORM\Entity] #[EncryptedEntity] class User { #[ORM\Column(type: Types::TEXT, nullable: true)] #[Encrypted(hashField: true, hashProperty: 'emailHash')] private ?string $email = null; #[ORM\Column(type: Types::TEXT, nullable: true, unique: true)] private ?string $emailHash = null; private ?string $plainEmail = null; // Transient, auto-populated public function getEmail(): ?string { return $this->plainEmail; } public function setEmail(?string $email): self { $this->plainEmail = $email; return $this; } }
That's it! The bundle automatically encrypts on save and decrypts on load.
Documentation
| Document | Description |
|---|---|
| String Encryption | Encrypting text fields (emails, names, etc.) |
| File Encryption | Encrypting binary files (documents, images) |
| Console Commands | Key generation, rotation, migration commands |
| Key Rotation | Safely rotating encryption keys |
| Configuration | Complete configuration reference |
Basic Examples
Encrypted String Field
#[Encrypted(hashField: true)] private ?string $email = null; private ?string $plainEmail = null; private ?string $emailHash = null;
Encrypted File Field
use Caeligo\FieldEncryptionBundle\Attribute\EncryptedFile; use Caeligo\FieldEncryptionBundle\Model\EncryptedFileData; #[EncryptedFile(mimeTypeProperty: 'mimeType', originalNameProperty: 'fileName')] private $document; private ?EncryptedFileData $plainDocument = null; private ?string $mimeType = null; private ?string $fileName = null;
Working with Files
// From upload $fileData = EncryptedFileData::fromUploadedFile($uploadedFile); $entity->setPlainDocument($fileData); // To download $content = $entity->getPlainDocument()->getContent(); $mimeType = $entity->getPlainDocument()->getMimeType();
Console Commands
# Generate new encryption key php bin/console field-encryption:generate-key # Rotate encryption keys (interactive wizard) php bin/console field-encryption:rotate-keys --wizard # Encrypt existing unencrypted data php bin/console field-encryption:encrypt-existing --dry-run
Security Considerations
- ⚠️ Never commit encryption keys - Use environment variables
- 💾 Backup your keys - Key loss = data loss
- 🔄 Plan key rotation - Use the wizard for safe rotation
- 🔍 Use hashes for search - Enable
hashFieldfor searchable fields - 🆔 Use ULID/UUID - Don't use sequential integers for key derivation
- 🌶️ Consider hash pepper - Use
hash_pepperconfig for extra key separation
Database Compromise Protection
This bundle provides strong protection if only your database is compromised:
| Attacker sees | Can read? | Notes |
|---|---|---|
| Encrypted fields | ❌ No | AES-256 encrypted |
| Hash fields | ⚠️ Hash only | HMAC-SHA256, not reversible |
| Plain metadata | ✅ Yes | Store sensitive metadata separately |
Key requirement: The encryption key must NOT be stored in the database.
License
MIT License - see LICENSE
Author
Bíró Gábor (@biga156)
Repository
caeligo/field-encryption-bundle 适用场景与选型建议
caeligo/field-encryption-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 31 次下载、GitHub Stars 达 0, 最近一次更新时间为 2025 年 12 月 27 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「symfony」 「security」 「bundle」 「doctrine」 「encryption」 「aes」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 caeligo/field-encryption-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 caeligo/field-encryption-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 caeligo/field-encryption-bundle 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
2lenet/EasyAdminPlusBundle
The bundle for easy using json-rpc api on your project
Provide a way to secure accesses to all routes of an symfony application.
DMS Meetup API Bundle, enables Meetup API clients in services
It's a barebone security class written on PHP
Bundle Symfony DaplosBundle
统计信息
- 总下载量: 31
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 30
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-12-27