Key rotation is a significant concern that no PHP library really deals with. Consider adding support for key rotation (possibly with a "key identifier").
Basically, I abstract key into an interface, as well as creating a KeyRing.
That way, if there's a compromise, a new key can be added, which all new encryptions will use. Existing encrypted ciphertexts can be decrypted (and then re-encrypted using the latest key if necessary).
Note that line 115 uses pbkdf2 only because I didn't implement HKDF (it would use HKDF ideally).
Key rotation is a significant concern that no PHP library really deals with. Consider adding support for key rotation (possibly with a "key identifier").
This is something I was playing around with, here's a working (but not clean) example: https://gist.github.com/ircmaxell/a9d9d3dab12c112128e2
Basically, I abstract key into an interface, as well as creating a
KeyRing.That way, if there's a compromise, a new key can be added, which all new encryptions will use. Existing encrypted ciphertexts can be decrypted (and then re-encrypted using the latest key if necessary).
Note that line 115 uses
pbkdf2only because I didn't implement HKDF (it would use HKDF ideally).