Update: 2026-05-03 21:32:45

app/core/Encryption.php

@@ -0,0 +1,63 @@
+<?php
+/**
+ * Advanced Encryption (AES-256-GCM) - System Level
+ */
+
+declare(strict_types=1);
+
+namespace App\Core;
+
+final class Encryption
+{
+    private const CIPHER = 'aes-256-gcm';
+
+    /**
+     * Encrypts data using the system's ENCRYPTION_KEY from .env
+     */
+    public static function encrypt(string $data): string
+    {
+        $key = env('ENCRYPTION_KEY');
+        if (!$key) {
+            throw new \RuntimeException('ENCRYPTION_KEY is missing from .env');
+        }
+
+        $encryptionKey = hash('sha256', $key, true);
+        $iv = random_bytes(openssl_cipher_iv_length(self::CIPHER));
+        
+        $tag = '';
+        $ciphertext = openssl_encrypt($data, self::CIPHER, $encryptionKey, OPENSSL_RAW_DATA, $iv, $tag);
+
+        if ($ciphertext === false) {
+            throw new \RuntimeException('Encryption failed');
+        }
+
+        return base64_encode($iv . $tag . $ciphertext);
+    }
+
+    /**
+     * Decrypts AES-256-GCM encrypted data using the system's ENCRYPTION_KEY
+     */
+    public static function decrypt(string $encryptedData): string|false
+    {
+        $key = env('ENCRYPTION_KEY');
+        if (!$key) {
+            throw new \RuntimeException('ENCRYPTION_KEY is missing from .env');
+        }
+
+        $encryptionKey = hash('sha256', $key, true);
+        $decoded = base64_decode($encryptedData);
+        
+        if ($decoded === false) return false;
+
+        $ivLength = openssl_cipher_iv_length(self::CIPHER);
+        $tagLength = 16;
+
+        if (strlen($decoded) < $ivLength + $tagLength) return false;
+
+        $iv = substr($decoded, 0, $ivLength);
+        $tag = substr($decoded, $ivLength, $tagLength);
+        $ciphertext = substr($decoded, $ivLength + $tagLength);
+
+        return openssl_decrypt($ciphertext, self::CIPHER, $encryptionKey, OPENSSL_RAW_DATA, $iv, $tag);
+    }
+}