6

I have some old data that was encrypted using PHP's mcrypt functions. The site is now on PHP 7.1, which means we're hitting deprecation errors. I would like to migrate to use the openssl functions (which seems to be the current recommended approach), but I don't know how to reliably decrypt the legacy encrypted data.

Is there a reasonably easy way to accomplish this?

AdamTheHutt
  • 8,287
  • 8
  • 33
  • 33
  • I believe you can install mcrypt for php 7. Maybe that could be a starting point? – georaldc Jan 30 '17 at 21:07
  • 1
    Your question is too broad. Show specific examples of mcrypt usage that you want to replace with openssl calls, how did you attempt to do it, and where did you get stuck. – yivi Jan 30 '17 at 21:31
  • 3
    @georaldc With due respect, intentionally installing a deprecated security library that was abandoned a decade ago is probably a poor idea. – Luke Joshua Park Jan 30 '17 at 23:27
  • @georaldc It is best not to use mcrypt, it has been abandonware for nearly a decade now. It does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding bugs dating back to 2003. Instead consider using [defuse](https://github.com/defuse/php-encryption) or [RNCryptor](https://github.com/RNCryptor), they provide a complete solution, are being maintained and is correct. – zaph Jan 30 '17 at 23:31
  • @LukePark I know, but it looked like he needed a quick way to decrypt his data on a platform that doesn't support mcrypt by default any more. That's why I suggested installing it as a starting point to get the data out first. Now I normally don't deal with cryptography so maybe there are other, better ways to go about this. If so, then I apologize – georaldc Jan 30 '17 at 23:34
  • @georaldc If the OP just needs to get some data decrypted then sure, but I think he's looking for production solution. No worries anyway. – Luke Joshua Park Jan 30 '17 at 23:36
  • @Adam - you should start by providing some of the old code, and the trouble you are having with the new code. – jww Jan 31 '17 at 09:17
  • Thanks, all. I figured out a way to do it, basically by brute force. Wrote a migration script that uses the mcrypt library to decrypt (first turning off deprecation warnings) and then re-encrypts using openssl. As far as I can tell, openssl is unable to encrypt the mcrypt-encrypted strings. – AdamTheHutt Feb 01 '17 at 19:53
  • 2
    I like the SO :) The question is obvious - how to migrate from deprecated mcrypt functions to openssl functions WITHOUT any data loss? But it catch minuses and dislikes instead of answers. If I have an existing project with a lot of mcrypt'ed data - what openssl functions should I use to decrypt? For example, the old code is: `mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'salt', 'an encoded string'), MCRYPT_MODE_ECB)`. What is the OpenSSL equivalent? – Alexander Pravdin Feb 16 '17 at 04:23
  • Also see [Upgrading my encryption library from Mcrypt to OpenSSL](http://stackoverflow.com/q/43329513/608639) and [Preparing for removal of Mcrypt in PHP 7.2](http://stackoverflow.com/q/42696657/608639) – jww Apr 21 '17 at 17:47

0 Answers0