It would be nice to know a bit more about how encryption is used in this project, so that would-be users can evaluate it easily before adoption and testing.
Things like what data is encrypted, when and how, and what is not.
Having a threat model document would be wonderful, describing common attack scenarios and whether this app is good to prevent them. Such as:
network sniffing (esp. in cybercafe scenarios where a mitm could be done even if you are using https, via a malevolent dns server and stolen root certs)
reading data in-memory of the php app (or its logs and source code)
are the passwords safe from dbas or anyone stealing the db
It would be nice to know a bit more about how encryption is used in this project, so that would-be users can evaluate it easily before adoption and testing.
Things like what data is encrypted, when and how, and what is not.
Having a threat model document would be wonderful, describing common attack scenarios and whether this app is good to prevent them. Such as: