Encrypt/decrypt a file

Zend\Crypt\FileCipher implements the encryption of decryption of a file using a symmetric cipher in CBC mode with the encrypt-then-authenticate approach, using HMAC to provide authentication (the same solution used by Zend\Crypt\BlockCipher component).

Encrypt and decrypt a file is not an easy task, especially a big file. For instance, in CBC mode you must be sure to handle the IV correctly for each block. That means, if you are reading a big file you need to use a buffer and be sure to use the last block of the buffer as new IV for the next encryption step.

The FileCipher uses a symmetric cipher, with the Zend\Crypt\Symmetric\Mcrypt component.

The usage of this component is very simple, you just need to create an instance of FileCipher and specify the key, and you are ready to encrypt/decrypt any file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
use Zend\Crypt\FileCipher;

$fileCipher = new FileCipher;
$fileCipher->setKey('encryption key');
// encryption
if ($fileCipher->encrypt('path/to/file_to_encrypt', 'path/to/output')) {
    echo "The file has been encrypted successfully\n";
}
// decryption
if ($fileCipher->decrypt('path/to/file_to_decrypt', 'path/to/output')) {
    echo "The file has been decrypted successfully\n";
}

By default FileCipher uses the AES encryption algorithm (with a key of 256 bit) and the SHA-256 hash algorithm to authenticate the data using the HMAC function. This component uses the PBKDF2 key derivation algorithm to generate the encryption key and the authentication key, for the HMAC, based on the key specified using the method setKey().

If you want to change the encryption algorithm, you can use the setCipherAlgorithm() function, for instance you can specity to use the Blowfish encryption algorihtm using setCipherAlgorithm('blowfish'). You can retrieve the list of all the supported encryption algorithm in your environment using the function getCipherSupportedAlgorithms(), it will return an array of all the algorithm name.

If you need to customize the cipher algorithm, for instance changing the Padding mode, you can inject your Mcrypt object in the FileCipher using the setCipher() method. The only parameter of the cipher that you cannot change is the cipher mode, that will be CBC in any case.

Note

Output format

The output of the encryption file is in binary format. We used this format to do not impact on the output size. If you encrypt a file using the FileCipher component, you will notice that the output file size is almost the same of the input size, just some bytes more to store the HMAC and the IV vector. The format of the output is the concatenation of the HMAC, the IV and the encrypted file.