diff options
-rw-r--r-- | system/libraries/Encryption.php | 15 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 15 |
2 files changed, 25 insertions, 5 deletions
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index d6ffc9bfe..aa91cd3f9 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -310,6 +310,21 @@ class CI_Encryption { // -------------------------------------------------------------------- /** + * Create a random key + * + * @param int $length Output length + * @return string + */ + public function create_key($length) + { + return ($this->_driver === 'mcrypt') + ? mcrypt_create_iv($length, MCRYPT_DEV_URANDOM) + : openssl_random_pseudo_bytes($length); + } + + // -------------------------------------------------------------------- + + /** * Encrypt * * @param string $data Input data diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index 28aa57302..1353c4ed0 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -84,14 +84,19 @@ your server is not totally under your control it's impossible to ensure key security so you may want to think carefully before using it for anything that requires high security, like storing credit card numbers. -Your encryption key should be as long as the encyption algorithm in use -allows. For AES-128, that's 128 bits or 16 bytes (charcters) long. The -key should be as random as possible and it should **not** be a simple -text string. - +Your encryption key **must** be as long as the encyption algorithm in use +allows. For AES-128, that's 128 bits or 16 bytes (charcters) long. You will find a table below that shows the supported key lengths of different ciphers. +The key should be as random as possible and it **must not** be a regular +text string, nor the output of a hashing function, etc. In order to create +a proper key, you must use the Encryption library's ``create_key()`` method +:: + + // $key will be assigned a 16-byte (128-bit) random key + $key = $this->encryption->create_key(16); + The key can be either stored in your *application/config/config.php*, or you can design your own storage mechanism and pass the key dynamically when encrypting/decrypting. |