Symmetric Encryption in PHP

Harry Gogonis
2 min readAug 21, 2017


PHP has multiple implementations of symmetric encryption. If you are using mcrypt this library is deprecated in PHP 5.5.0 and removed in PHP 7.0.0.

As of August 2017, the proper way of encrypting in PHP is to use openssl with AES-256-CBC mode. CTR mode is not currently implemented.


Chose an encryption method and key

As of writing, AES-256-CBC is the best method.

$method = 'AES-256-CBC'

Your key must be a secret, so you might want to use an environment variable.

$key = getenv('NAMESPACED_CRYPTO_KEY')

Generate an Initialization Vector (IV)

An IV is a parameter to the cipher. The IV is not secret. Ideally you want this IV to be unique, so we will use cryptographically random bytes as an IV.

$length = openssl_cipher_iv_length($method);
$iv = openssl_random_pseudo_bytes($length);

Encrypt your data

$encrypted = openssl_encrypt($pltxt, $method, $key, OPENSSL_RAW_DATA, $iv);

Encode IV

We will append the IV to the encrypted cipher text so we can retrieve it for decryption. You could store them in separate variables or database columns if you wish.

$ctxt = base64_encode($encrypted) . '|' . base64_encode($iv);


Decode IV

We need to extract the IV and cipher text from our encoded string. If you stored them separately you can skip this step.

list($data, $iv) = explode('|', $encrypted);
$iv = base64_decode($iv);

Decrypt your data

$pltxt = openssl_decrypt($data, $method, $key, 0, $iv);

Originally published at



Harry Gogonis