jsq/doctrine-cache-encrypter

An encrypting decorator for instances of Doctrine\Common\Cache\Cache

Doctrine Cache Encrypter

, _(*1)

Having to encrypt your data at rest shouldn't keep you from using the open-source tools you know and love. If you have data that needs a higher degree of security than the rest of your cache, you can store and access it via an EncryptingDecorator., _(*2)

Caveats

Encryption and decryption are both expensive operations, and frequent reads from an encrypted data store can quickly become a bottleneck in otherwise performant applications. Use encrypted caches sparingly (i.e., do not use an encrypting decorator around your Doctrine Annotations cache)., _(*3)

Usage

This package provides two cache decorators, one that encrypts data using a pass phrase and one that does so with public and private keys. The implementation using a pass phrase is the more performant of the two but requires that you securely deploy a plaintext password., _(*4)

First, create your Doctrine-based cache as you normally would:, _(*5)

$cache = new \Doctrine\Common\Cache\RedisCache($redisClient);

Second, wrap your cache with an encrypting decorator:, _(*6)

$encryptedCache = new \Jsq\Cache\PasswordEncryption\Decorator(
    $cache,
    $password,
    $cipher // optional, defaults to 'aes-256-cbc'
);

Then use your $cache and $encryptedCache like you normally would:, _(*7)

$cache->save('normal_cache_data', 'Totally normal!');

$encryptedCache->save('api_keys', $keys);

Though your regular cache and encrypted cache share a storage layer and a keyspace, they will not be able to read each other's data. The $encryptedCache will return false if asked to read unencrypted data, and the regular $cache will return gibberish if asked to read encrypted data., _(*8)

Encrypting your cache without sharing secrets

If you'd rather not rely on a shared password, the EnvelopeEncryption\Decorator can secure your sensitive cache entries using a public/private key pair., _(*9)

$encryptedCache = new \Jsq\Cache\EnvelopeEncryption\Decorator(
    $cache,
    'file:///path/to/certificate.pem',
    'file:///path/to/private/key.pem',
    $passphrase_for_private_key_file, // optional, defaults to null
    $cipher // optional, defaults to 'aes-256-cbc'
);

The certificate can be a valid x509 certificate, a path to a PEM-encoded certificate file (the path must be prefaced with file://), or a PEM-encoded certificate string. The private key can be a path to a PEM-encoded private key file (the path must be prefaced with file://), or a PEM-encoded certificate string., _(*10)