PHP code example of oliver-hader / secrets-kms

1. Go to this page and download the library: Download oliver-hader/secrets-kms library. Choose the download type require.

2. Extract the ZIP file and open the index.php.

3. Add this code to the index.php. 
    
        
<?php
require_once('vendor/autoload.php');

/* Start to develop here. Best regards https://php-download.com/ */

oliver-hader / secrets-kms example snippets


use OliverHader\SecretsKms\Key\KeyPair;
use OliverHader\SecretsKms\Manager;
use OliverHader\SecretsKms\Model\KeyEntry;
use OliverHader\SecretsKms\Storage;

// Each system derives its key pair from its own secret
$prodKeyPair = KeyPair::fromSeed('your-typo3-production-encryptionKey');
$devKeyPair  = KeyPair::fromSeed('your-typo3-dev-encryptionKey');


$storage = new Storage('/path/to/secrets.json');
$prodService = new Manager($prodKeyPair, $storage);

// Register the dev system — extends all existing domains and is remembered for future ones
$prodService->addPublicKeys(
    new KeyEntry($devKeyPair->getPublicKey(), comment: 'Dev instance'),
);


// Both prod and dev get access automatically because dev is in the `keys` list
$prodService->createDomain('typo3/user-settings');
$prodService->createDomain('typo3/registry-data');


$devService = new Manager($devKeyPair, $storage);

// Both systems can independently retrieve the same underlying data key
// by unsealing their own entry in secrets.json.
// Use the data key in your application to encrypt/decrypt user data.


$stagingKeyPair = KeyPair::fromSeed('staging-encryptionKey');

// Register a new system — extends all existing domains and all future ones
$prodService->addPublicKeys(
    new KeyEntry($stagingKeyPair->getPublicKey(), comment: 'Staging instance'),
);

// Deregister a system — removes it from all existing domains and the keys list
$prodService->removePublicKeys(
    $devKeyPair->getPublicKey(),
);


// Grant access to one domain only
$prodService->extendDomain('typo3/user-settings', $stagingKeyPair->getPublicKey());

// Revoke access from one domain only
$prodService->reduceDomain('typo3/user-settings', $stagingKeyPair->getPublicKey());


$prodService->listDomains();
// ['typo3/user-settings', 'typo3/registry-data']

$prodService->listPublicKeys();
// [KeyEntry($devPublicKey, comment: 'Dev instance', imported: ...)]


use OliverHader\SecretsKms\Cipher;

$cipher = new Cipher($manager);

// Encrypt — returns a URL-safe base64 string (nonce + ciphertext, no padding)
$sealed = $cipher->sealWithDomainDataKey('typo3/user-settings', 'my secret value');

// Decrypt — returns the original plaintext
$plaintext = $cipher->unsealWithDomainDataKey('typo3/user-settings', $sealed);


use OliverHader\SecretsKms\Signer;

$signer = new Signer($manager);

// Sign — returns a URL-safe base64 string (32-byte MAC, no padding)
$mac = $signer->sign('typo3/user-settings', $message);

// Verify — returns true if the MAC is valid for this domain and message
$valid = $signer->verify('typo3/user-settings', $message, $mac);


$manager = new Manager(string|KeyPair $key, StorageInterface $storage);


$cipher = new Cipher(Manager $manager);


$signer = new Signer(Manager $manager);


// Random — useful for generating a fresh dedicated key pair
$kp = KeyPair::generate();

// Deterministic from a password or existing secret (e.g. TYPO3 encryptionKey)
$kp = KeyPair::fromSeed('any string of any length');

// From raw 32-byte secret key bytes (import an existing key)
$kp = KeyPair::fromSecretKey($rawSecretKeyBytes);


use OliverHader\SecretsKms\StorageInterface;
use OliverHader\SecretsKms\Model\SecretsData;

class DatabaseStorage implements StorageInterface
{
    public function load(): SecretsData { /* ... */ }
    public function save(SecretsData $data): void { /* ... */ }
}