Hashing String or Password

Use Hasher or it's instance to hash string:

use Windwalker\Core\Security\Hasher;

$hash = Hasher::create($password);

// Verify it
$bool = Hasher::verify($password, $hash);

// Get instance from container:
$hasher = $container->get('hasher');

$hasher->verify(..., ...);


In etc/config.yml, you can change some settings:

    # The Crypt cipher method.
    # Support ciphers: blowfish (bf) / aes-256 (aes) / 3des / php_aes / sodium
    cipher: blowfish

    # The hashing algorithm
    # Support algorithms: blowfish (bf) / md5 / sha256 / sha512 / argon2 / scrypt
    hash_algo: blowfish

    # The hashing cost depends on different algorithms. Keep default if you don't know how to use it.
    hash_cost: ~

The hash_algo is the hash algorithm you want to use, default is blowfish.

The argon2 and scrypt algorithm is powered by libsodium, you must install ext-libsodium or use php 7.2 later to support them.

More usage please see Windwalker Crypt

Encrypt and Decrypt Sensitive Data

Use Crypto and it's instance to encrypt and decrypt string.

use Windwalker\Core\Security\Crypto;

$encrypted = Crypto::encrypt('hello');

echo Crypto::decrypt($encrypted); // hello

Crypto::verify('hello', $encrypted); //true

Get instance from container:

$crypt = $container->get('crypt');


Cipher Configuration:

See Configuration above, you can set cipher you want to encrypt data.

The default cipher is blowfish but you can use other openssl cipher like aes or 3des, if your environment has no openssl extension support, you can use php_aes instead them.

The libsodium also supports here, you can install paragonie/sodium_compat package to encrypt by sodium cipher without php libsodium extension, but we still recommend you to install ext-libsodium or use php 7.2 later to support memory wipe and with higher performance.

If you get sodium_memzero() only supports after php 7.2 or ext-libsodium installed. message, You can disable memory wipe by ignoreMemzero() (But we don't recommend to do this):

// Add this code in a listener or anywhere before your application 
$cipher = Crypto::getCipher();

if ($cipher instanceof \Windwalker\Crypt\Cipher\SodiumCipher)

// Now you can encrypt text by sodium

See Windwalke Crypt

If you found a typo or error, please help us improve this document.