How to Use the Sodium PHP Extension in ServBay
ServBay is a powerful integrated local web development environment that comes with the Sodium PHP extension pre-installed and enabled by default. Sodium is a modern, easy-to-use cryptography library that is widely used for data encryption and secure communications. Thanks to ServBay, developers can seamlessly leverage the Sodium extension for encryption and decryption in PHP applications, without having to compile or configure anything extra—ensuring your application's data security.
Introduction to the Sodium Extension
Sodium (libsodium) is a modern cryptographic library designed to offer simple, user-friendly, and highly secure encryption capabilities. It supports a range of cryptographic algorithms and operations, including symmetric encryption, asymmetric encryption, digital signatures, hashing, key exchange, and more. Since PHP 7.2, the Sodium library has been included as a core extension, making it the modern and more secure replacement for the now deprecated mcrypt library.
Key Features
- Ease of Use: Provides a straightforward API for simple data encryption and decryption.
- High Security: Implements modern cryptographic algorithms and best practices to guarantee data safety.
- Versatility: Supports symmetric encryption, asymmetric encryption, digital signatures, hashing, key exchange, and more.
- Cross-Platform: Can be used across various operating systems and programming languages.
- High Performance: Fast encryption and decryption suitable for performance-critical scenarios.
Sodium as an mcrypt Alternative
The mcrypt library was once a widely used encryption library in PHP, but due to discontinued maintenance and security vulnerabilities, it was deprecated in PHP 7.1 and removed in PHP 7.2. Sodium was introduced as its modern and secure alternative. The Sodium library offers stronger security, greater usability, and better performance. It's strongly recommended to use Sodium for data encryption and decryption in all new projects instead of mcrypt.
Availability and Enabling of Sodium in ServBay
ServBay precompiles and enables the Sodium extension by default for PHP 7.2 and above. This means, as a ServBay user, you don't need to manually install or configure Sodium. Just launch ServBay, select the appropriate PHP version, and you're ready to use Sodium functions directly in your code.
To check if Sodium is enabled, you can use ServBay’s phpinfo() feature. In the ServBay interface, select your PHP version, look for the phpinfo() option, and search for 'sodium' on the output page—you should see information about the Sodium module listed.
Using the Sodium Extension in PHP Code
Once you have confirmed the Sodium extension is enabled, you can start using its functions in your PHP projects. Save your PHP code files in the relevant site subdirectory under ServBay’s web root directory (the default is /Applications/ServBay/www), then run them through your browser. Here are some example use cases:
Sample Code (Symmetric Encryption)
Symmetric encryption uses the same key for both encryption and decryption.
<?php
// The message to be encrypted
$message = "This is a secret message from servbay.demo";
// Generate a random key (Key size must be SODIUM_CRYPTO_SECRETBOX_KEYBYTES)
$key = sodium_crypto_secretbox_keygen();
// Generate a random Nonce (Number used once), the same Nonce must be used for both encryption and decryption
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
// Encrypt using the key and Nonce
$ciphertext = sodium_crypto_secretbox($message, $nonce, $key);
echo "Original message: " . $message . "\n";
echo "Nonce (Base64): " . base64_encode($nonce) . "\n"; // The Nonce usually needs to be stored or transmitted with the ciphertext
echo "Ciphertext (Base64): " . base64_encode($ciphertext) . "\n\n";
// --- Decryption process ---
// Suppose we have obtained the ciphertext, Nonce, and key
$retrieved_ciphertext = $ciphertext; // Ciphertext from storage or transmission
$retrieved_nonce = $nonce; // Nonce from storage or transmission
$retrieved_key = $key; // Key from storage or transmission
// Decrypt using the key and Nonce
$decrypted = sodium_crypto_secretbox_open($retrieved_ciphertext, $retrieved_nonce, $retrieved_key);
// Check if decryption was successful
if ($decrypted === false) {
echo "Decryption failed!\n";
} else {
echo "Decrypted message: " . $decrypted . "\n";
}
// Clean sensitive data from memory
sodium_memzero($key);
sodium_memzero($retrieved_key);
if ($decrypted !== false) {
sodium_memzero($decrypted);
}
?>2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Sample Code (Asymmetric Encryption)
Asymmetric encryption uses a pair of public and private keys. The public key is used for encryption, while the private key is used for decryption.
<?php
// The message to be encrypted
$message = "This is another secret message for servbay-demo user";
// Generate a keypair (Public key for encryption, private key for decryption)
$keypair = sodium_crypto_box_keypair();
$publicKey = sodium_crypto_box_publickey($keypair); // Share with others
$secretKey = sodium_crypto_box_secretkey($keypair); // Keep private, never expose
echo "Public key (Base64): " . base64_encode($publicKey) . "\n";
echo "Private key (Base64): [Private key is sensitive and should not be displayed or revealed]\n\n";
// --- Encryption (using the recipient's public key) ---
// Suppose the sender has the recipient's $publicKey
// Generate a random Nonce; the same Nonce must be used for both encryption and decryption
$nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES);
// Use the recipient's public key and sender's private key (usually, it's the recipient's public key + sender's private key; this sample simplifies key negotiation)
// Note: In practice, this should be sender's private key + recipient's public key
// Sodium's crypto_box is based on Curve25519 Diffie-Hellman key exchange, requiring both sides' key pairs
// For simplicity, we use a single user's key pair for both encryption and decryption here
$ciphertext = sodium_crypto_box($message, $nonce, $keypair); // In this simplified example, the keypair contains both keys
echo "Original message: " . $message . "\n";
echo "Nonce (Base64): " . base64_encode($nonce) . "\n"; // The Nonce should be stored or transmitted with the ciphertext
echo "Ciphertext (Base64): " . base64_encode($ciphertext) . "\n\n";
// --- Decryption (using the recipient's private key) ---
// Suppose the recipient has the ciphertext, Nonce, their private key ($secretKey), and the sender's public key ($publicKey)
// In this simple example, all are in $keypair
$retrieved_ciphertext = $ciphertext;
$retrieved_nonce = $nonce;
$retrieved_keypair = $keypair; // Decrypt with the keypair containing the private key
// Decrypt using the keypair
$decrypted = sodium_crypto_box_open($retrieved_ciphertext, $retrieved_nonce, $retrieved_keypair);
// Check if decryption was successful
if ($decrypted === false) {
echo "Decryption failed!\n";
} else {
echo "Decrypted message: " . $decrypted . "\n";
}
// Clean sensitive data
sodium_memzero($secretKey); // Wipe private key
sodium_memzero($keypair); // Wipe keypair
if ($decrypted !== false) {
sodium_memzero($decrypted);
}
?>2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Sample Code (Digital Signature)
Digital signatures are used to verify the integrity of a message and the identity of the sender. The private key is used to sign; the public key is used to verify.
<?php
// The message to be signed
$message = "This message needs to be signed by servbay.demo";
// Generate a signing keypair (Private key signs, public key verifies)
$keypair = sodium_crypto_sign_keypair();
$publicKey = sodium_crypto_sign_publickey($keypair); // Give to verifier
$secretKey = sodium_crypto_sign_secretkey($keypair); // Keep private, never reveal
echo "Public key (Base64): " . base64_encode($publicKey) . "\n";
echo "Private key (Base64): [Private key is sensitive and should not be displayed or revealed]\n\n";
// --- Signing Process (using sender’s private key) ---
$signature = sodium_crypto_sign_detached($message, $secretKey);
echo "Original message: " . $message . "\n";
echo "Signature (Base64): " . base64_encode($signature) . "\n\n";
// --- Verification Process (using sender’s public key) ---
// Suppose the verifier has the message, signature, and sender’s public key ($publicKey)
$retrieved_message = $message;
$retrieved_signature = $signature;
$retrieved_publicKey = $publicKey;
// Verify signature with the public key
if (sodium_crypto_sign_verify_detached($retrieved_signature, $retrieved_message, $retrieved_publicKey)) {
echo "Signature is valid! The message has not been tampered with and comes from the key holder.\n";
} else {
echo "Invalid signature! The message may have been altered, or the signature was not generated by the correct private key.\n";
}
// Clean sensitive data
sodium_memzero($secretKey); // Wipe private key
sodium_memzero($keypair); // Wipe keypair
?>2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Conclusion
With ServBay, developers can conveniently leverage the pre-installed and enabled Sodium PHP extension out-of-the-box. This removes the complexity of installing or configuring Sodium in your local environment, letting you focus on harnessing Sodium’s robust encryption features to boost your application’s security. As the modern replacement for mcrypt, Sodium is an essential tool for building secure, reliable web applications. ServBay streamlines this process, empowering developers to create efficient and secure local development environments.