Encryption Service

Note: The encryption helper is not recommended and has been removed in version 9.2+. See https://github.com/concretecms/concretecms/issues/11219 for further details

Need to encrypt potentially sensitive data, while still being able to retrieve it for later? Use the encryption service!

First, retrieve the service:

$encryptor = \Core::make("helper/encryption");

Now, you can use

$encrypted = $encryptor->encrypt('This text will be encrypted.');

And

print $encryptor->decrypt($encrypted); // "This text will be encrypted."

Important Note: These functions rely on the mcrypt library; if the library is not installed, the output will not be encrypted. It will just be passed back as unencrypted text.

Encrypting User Passwords

Note: this is NOT to be used for user passwords! It's not secure enough. In general, you should never encrypt user passwords with anything that can be reversed. Instead, encrypt it using a one-way hashing algorithm, and any time the user enters their password, compare the value of the hashed provided password with the one you're storing. This is all taken care of by Concrete CMS when dealing with the standard User model, but if you need to encrypt user passwords yourself for business purposes, here's the secure, standardized method by which Concrete accomplishes this.

First, retrieve the global password hasher from Service Container:

$hasher = $app->make(‘Concrete\Core\Encryption\PasswordHasher’);

This will return an instance of the Concrete\Core\Encryption\PasswordHasher object, with the proper configuration values set for portability and proper encryption of data. Then, it's a simple matter of either calling

return $hasher->hashPassword($password);

to generate an encrypted password for storage, or

$hasher->checkPassword($inputPassword, $storedPassword)

to check an inputted password against the password stored in the database.