README

Laravel package for per-user asymmetric encryption: legacy RSA-OAEP or ML-KEM-768 wraps the Halite / libsodium encryption secret; user content is sealed with Crypto::seal and unsealed with the user’s secret (typically from a session cookie after unlock).

Requires: PHP ^8.2, Laravel ^11 or ^12, paragonie/halite ^5.1, paragonie/pqcrypto_compat, paragonie/sodium_compat, and the host app’s App\User model with an encryption() relation and a uuid attribute (see tests/Stubs/App/User.php). Version is defined in composer.json.

Demo app (demo/)

A self-contained Laravel skeleton lives under demo/. It Composer-links the parent package from .. so you can run create / decrypt in a browser without installing from GitLab.

cd demo
composer install
cp .env.example .env && php artisan key:generate
touch database/database.sqlite
php artisan migrate --seed
php artisan serve

Package migrations load from ../src/migrations (no vendor:publish required for the schema). Optionally publish config: php artisan vendor:publish --tag=userencryption.

See demo/README.md for details and caveats (auto-login is dev-only).

Installation

composer require rinzler/user-encryption

Publish and run migrations:

php artisan vendor:publish --tag=userencryption
php artisan migrate

Register the service provider if discovery is disabled:

Rinzler\UserEncryption\UserEncryptionServiceProvider::class,

Routes ship with web, auth, and throttle:30,1 (30 attempts per minute per IP) so a standard Crypton install does not need extra route wiring for those concerns.

Routes

• new — Create RSA + Halite key material, store in user_encryption, set unlock cookie.
• decrypt — Submit passphrase to unlock master key and set the same style of cookie.

Use the default web stack (session, CSRF) from the browser. Unlock cookies use HttpOnly, Secure when config('session.secure') is true, and SameSite when your Laravel cookie jar supports session.same_site.

Database

Table user_encryption (after migrate): belongs_to, rsa_master_private_key, rsa_master_public_key (legacy RSA-OAEP PEM material; empty for ML-KEM-only rows), encryption_private_key, encryption_public_key, timestamps.

Main API

• Facade / container: UserEncryption → Rinzler\UserEncryption\Support\UserEncryption (see Rinzler\UserEncryption\Facades\UserEncryption).
• Rinzler\UserEncryption\Support\UserEncryption
  • generateEncryptionKey($passphrase) — throws RuntimeException if OpenSSL key generation fails.
  • generateAESKey() — Halite encryption keypair (hex-encoded material in the returned array; name is historical).
  • encryptAESKey / decryptAESKey — RSA-OAEP wrap/unwrap of the Halite secret (false on failure).
  • encryptString($data, $publicKeyString) / decryptString($data) — Halite seal/unseal; decryptString returns a plain string and may throw HttpResponseException for redirects when the unlock cookie is missing or invalid.

See src/ for implementation details.

Tests

From a clone of this repo (dev dependencies include Orchestra Testbench 9 and PHPUnit 11):

composer install
composer test

Tests use Orchestra Testbench with an in-memory SQLite database and a test-only App\User under tests/Stubs/App/ (your production app supplies the real App\User).

Security

This package handles high-value secrets (keys in the DB, material in cookies). Use HTTPS in production (session.secure / APP_URL), keep a strong passphrase policy in your forms if you need more than required, and review your overall threat model (XSS, DB access, backups).

License

GNU General Public License v3.0 or later (SPDX: GPL-3.0-or-later).