You are here

Home » API reference » Real AES 7.2

README.txt in Real AES 7.2

Same filename and directory in other branches
  1. 8.2 README.txt
  2. 8 README.txt
  3. 7 README.txt
# Real AES

## Introduction

Real AES provides an encryption method plugin for the Encrypt module (https://drupal.org/project/encrypt).
It also serves as a library loader for the Defuse PHP-encryption library.

Defuse PHP-encryption provides authenticated encryption via an Encrypt-then-MAC scheme. AES-256 CBC is the symmetric
encryption algorithm, SHA-256 the hash algorithm for the HMAC. IV's are automatically and randomly generated. You do
not need to manage the IV separately, as it is included in the ciphertext.

Ciphertext format is: HMAC || iv || ciphertext

The HMAC verifies both IV and Ciphertext.

## Authenticated encryption

Authenticated encryption ensures data integrity of the ciphertext. When decrypting, integrity is checked first. Further
decrypting operations will only be executed when the integrity check passes. This prevents certain ciphertext attacks
on AES CBC.

## Requirements

- PHP 5.4 or later with the openssl extension.
- The Defuse PHP-Encryption library from https://github.com/defuse/php-encryption/archive/v2.1.0.zip. Unzip the archive
  and install it as php-encryption in your libraries folder (Example: sites/all/libraries/php-encryption).
- The PHP-Encryption autoload.php file from
  https://gist.github.com/paragonie-scott/949daee819bb7f19c50e5e103170b400/archive/4d72ab0049b1dc37ce68e4cecaf9b280953a1d0a.zip.
  Unzip the archive and place it in the php-encryption directory
  (Example: sites/all/libraries/php-encryption/autoload.php).
- If you are using a version of PHP < 7.0, you will also need to add the random_compat PHP library.
  Download it from https://github.com/paragonie/random_compat/archive/v2.0.11.zip. Install it as random_compat in
  your libraries folder (Example: sites/all/libraries/random_compat). For versions of PHP >= 7.0, this
  library is not needed.

## General configuration

If you need the defuse PHP-encryption library, or use the Encrypt plugin just enable Real AES and install the library.

### Generate a key

To generate a 256-bit random key, use the following command on the Unix CLI:

dd if=/dev/urandom bs=32 count=1 > /path/to/aes.key

This file MUST be stored outside of the docroot. Copy this file to an off-server, safe backup. If you lose the key,
you will not be able to decrypt encrypted information in the database.

If you do not have access to dd, generate the file using drush on a working Drupal installation:

drush php-eval 'echo drupal_random_bytes(32);' > /path/to/aes.key

### Point Real AES to the key

$conf['real_aes_key_file'] = '/path/to/aes.key';

## Encrypt plugin configuration

Real AES adds the "Authenticated AES" encryption method on the "Encryption method settings" tab for Encrypt
configurations.

## Usage

1. Use the Authenticated AES encryption method with the Encrypt module (https://drupal.org/project/encrypt).

2. If you implement encryption yourself, use this module as a Defuse PHP Encryption library loader.
   In your own code, include the library with libraries_load('php-encryption'), then call Crypto::encrypt,
   Crypto::decrypt and Crypto::createNewRandomKey directly.

   See
   * https://github.com/defuse/php-encryption for documentation,
   * For examples, see https://github.com/defuse/encutil or https://github.com/tsusanka/fileencrypt

## Further reading

* Encryption in PHP https://defuse.ca/secure-php-encryption.htm
* Defuse php-encryption readme: https://github.com/defuse/php-encryption/blob/master/README.md
* Authenticated encryption: https://en.wikipedia.org/wiki/Authenticated_encryption
* CBC Block mode: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29
* HMAC: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
* SHA-256: https://en.wikipedia.org/wiki/SHA-2

## Key management

Key storage on the webserver is a potential weak point in any encryption system. Consider
using Encrypt with a key management solution, such as Lockr (https://www.drupal.org/project/lockr)
or Townsend Security Key Connection (https://www.drupal.org/project/townsec_key)

## Credits

The original version of this module was created by LimoenGroen - https://limoengroen.nl - after carefully
considering the various encryption modules and libraries.

The library doing the actual work, Defuse PHP-encryption, is authored by Taylor Hornby and Scott Arciszewski. Its
home is https://github.com/defuse/php-encryption .

File

README.txt
View source 
  1. # Real AES

  2. 

  3. ## Introduction

  4. 

  5. Real AES provides an encryption method plugin for the Encrypt module (https://drupal.org/project/encrypt).

  6. It also serves as a library loader for the Defuse PHP-encryption library.

  7. 

  8. Defuse PHP-encryption provides authenticated encryption via an Encrypt-then-MAC scheme. AES-256 CBC is the symmetric

  9. encryption algorithm, SHA-256 the hash algorithm for the HMAC. IV's are automatically and randomly generated. You do

  10. not need to manage the IV separately, as it is included in the ciphertext.

  11. 

  12. Ciphertext format is: HMAC || iv || ciphertext

  13. 

  14. The HMAC verifies both IV and Ciphertext.

  15. 

  16. ## Authenticated encryption

  17. 

  18. Authenticated encryption ensures data integrity of the ciphertext. When decrypting, integrity is checked first. Further

  19. decrypting operations will only be executed when the integrity check passes. This prevents certain ciphertext attacks

  20. on AES CBC.

  21. 

  22. ## Requirements

  23. 

  24. - PHP 5.4 or later with the openssl extension.

  25. - The Defuse PHP-Encryption library from https://github.com/defuse/php-encryption/archive/v2.1.0.zip. Unzip the archive

  26.   and install it as php-encryption in your libraries folder (Example: sites/all/libraries/php-encryption).

  27. - The PHP-Encryption autoload.php file from

  28.   https://gist.github.com/paragonie-scott/949daee819bb7f19c50e5e103170b400/archive/4d72ab0049b1dc37ce68e4cecaf9b280953a1d0a.zip.

  29.   Unzip the archive and place it in the php-encryption directory

  30.   (Example: sites/all/libraries/php-encryption/autoload.php).

  31. - If you are using a version of PHP < 7.0, you will also need to add the random_compat PHP library.

  32.   Download it from https://github.com/paragonie/random_compat/archive/v2.0.11.zip. Install it as random_compat in

  33.   your libraries folder (Example: sites/all/libraries/random_compat). For versions of PHP >= 7.0, this

  34.   library is not needed.

  35. 

  36. ## General configuration

  37. 

  38. If you need the defuse PHP-encryption library, or use the Encrypt plugin just enable Real AES and install the library.

  39. 

  40. ### Generate a key

  41. 

  42. To generate a 256-bit random key, use the following command on the Unix CLI:

  43. 

  44. dd if=/dev/urandom bs=32 count=1 > /path/to/aes.key

  45. 

  46. This file MUST be stored outside of the docroot. Copy this file to an off-server, safe backup. If you lose the key,

  47. you will not be able to decrypt encrypted information in the database.

  48. 

  49. If you do not have access to dd, generate the file using drush on a working Drupal installation:

  50. 

  51. drush php-eval 'echo drupal_random_bytes(32);' > /path/to/aes.key

  52. 

  53. ### Point Real AES to the key

  54. 

  55. $conf['real_aes_key_file'] = '/path/to/aes.key';

  56. 

  57. ## Encrypt plugin configuration

  58. 

  59. Real AES adds the "Authenticated AES" encryption method on the "Encryption method settings" tab for Encrypt

  60. configurations.

  61. 

  62. ## Usage

  63. 

  64. 1. Use the Authenticated AES encryption method with the Encrypt module (https://drupal.org/project/encrypt).

  65. 

  66. 2. If you implement encryption yourself, use this module as a Defuse PHP Encryption library loader.

  67.    In your own code, include the library with libraries_load('php-encryption'), then call Crypto::encrypt,

  68.    Crypto::decrypt and Crypto::createNewRandomKey directly.

  69. 

  70.    See

  71.    * https://github.com/defuse/php-encryption for documentation,

  72.    * For examples, see https://github.com/defuse/encutil or https://github.com/tsusanka/fileencrypt

  73. 

  74. ## Further reading

  75. 

  76. * Encryption in PHP https://defuse.ca/secure-php-encryption.htm

  77. * Defuse php-encryption readme: https://github.com/defuse/php-encryption/blob/master/README.md

  78. * Authenticated encryption: https://en.wikipedia.org/wiki/Authenticated_encryption

  79. * CBC Block mode: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29

  80. * HMAC: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

  81. * SHA-256: https://en.wikipedia.org/wiki/SHA-2

  82. 

  83. ## Key management

  84. 

  85. Key storage on the webserver is a potential weak point in any encryption system. Consider

  86. using Encrypt with a key management solution, such as Lockr (https://www.drupal.org/project/lockr)

  87. or Townsend Security Key Connection (https://www.drupal.org/project/townsec_key)

  88. 

  89. ## Credits

  90. 

  91. The original version of this module was created by LimoenGroen - https://limoengroen.nl - after carefully

  92. considering the various encryption modules and libraries.

  93. 

  94. The library doing the actual work, Defuse PHP-encryption, is authored by Taylor Hornby and Scott Arciszewski. Its

  95. home is https://github.com/defuse/php-encryption .