sodium_crypto_secretbox

    (PHP 7 >= 7.2.0, PHP 8)

    sodium_crypto_secretboxAuthenticated shared-key encryption

    Description

    function sodium_crypto_secretbox(#[\SensitiveParameter]string $message, string $nonce, #[\SensitiveParameter]string $key): string

    Encrypt a message with a symmetric (shared) key.

    Parameters

    message
    The plaintext message to encrypt.
    nonce
    A number that must be only used once, per message. 24 bytes long. This is a large enough bound to generate randomly (i.e. random_bytes()).
    key
    Encryption key (256-bit).

    Return Values

    Returns the encrypted string.

    Errors/Exceptions

    Examples

    Example #1 sodium_crypto_secretbox() example

    <?php
// The $key must be kept confidential
$key = sodium_crypto_secretbox_keygen();
// Do not reuse $nonce with the same key
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$plaintext = "message to be encrypted";
$ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $key);

var_dump(bin2hex($ciphertext));
// The same nonce and key are required to decrypt the $ciphertext
var_dump(sodium_crypto_secretbox_open($ciphertext, $nonce, $key));
?>

    The above example will output something similar to:

    string(78) "3a1fa3e9f7b72ef8be51d40abf8e296c6899c185d07b18b4c93e7f26aa776d24c50852cd6b1076"
string(23) "message to be encrypted"

    See Also

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 3 notes

    up
    1
    celso fontes
    5 years ago
    An example to how encrypt or decrypt using sodium:

<?php

$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);

$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$ciphertext = sodium_crypto_secretbox("Hello World !", $nonce, $key);

$plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
if ($plaintext === false) {
    throw new Exception("Bad ciphertext");
}

echo $plaintext;
    up
    0
    Anonymous
    14 days ago
    A typical safe pattern is to generate both the key and nonce, then store or transmit the nonce alongside the ciphertext.

<?php

// Generate a random key (must be kept secret)
$key = sodium_crypto_secretbox_keygen();

// Generate a unique nonce for this message (24 bytes)
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

$message = "Hello secure world";

// Encrypt
$ciphertext = sodium_crypto_secretbox($message, $nonce, $key);

// Store or transmit: nonce + ciphertext (key is kept secret)
$stored = base64_encode($nonce . $ciphertext);

// -------------------

// Decode and split
$decoded = base64_decode($stored, true);

$nonce = substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$ciphertext = substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

// Decrypt
$decrypted = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);

if ($decrypted === false) {
    die("Decryption failed (message tampered or invalid key)");
}

echo $decrypted;

?>
    up
    0
    Anonymous
    14 days ago
    A typical safe pattern is to generate both the key and nonce, then store or transmit the nonce alongside the ciphertext.

<?php

// Generate a random key (must be kept secret)
$key = sodium_crypto_secretbox_keygen();

// Generate a unique nonce for this message (24 bytes)
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

$message = "Hello secure world";

// Encrypt
$ciphertext = sodium_crypto_secretbox($message, $nonce, $key);

// Store or transmit: nonce + ciphertext (key is kept secret)
$stored = base64_encode($nonce . $ciphertext);

// -------------------

// Decode and split
$decoded = base64_decode($stored, true);

$nonce = substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$ciphertext = substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

// Decrypt
$decrypted = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);

if ($decrypted === false) {
    die("Decryption failed (message tampered or invalid key)");
}

echo $decrypted;

?>
    add a note
    To Top