encryption.php

<?php

class Encryption
{
    private $encryptionKey;
    private $pepper;

    public function __construct()
    {
        // Keys and Pepper values are taken from .env file
        $this->encryptionKey = getenv('ENCRYPTION_KEY');
        $this->pepper = getenv('PEPPER');

        if (!$this->encryptionKey || !$this->pepper) {
            throw new Exception("Encryption key or pepper is not set in environment variables.");
        }
    }

    /**
     * Encrypts data.
     */
    public function encrypt(string $data): string
    {
        $iv = random_bytes(16); // AES-256-GCM for 16 byte IV
        $salt = random_bytes(16); // For added security, the salt

        // Key derivation
        $key = hash_hmac('sha256', $this->encryptionKey . $salt, $this->pepper, true);

        // Encryption with AES-256-GCM
        $ciphertext = openssl_encrypt($data, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);

        if ($ciphertext === false) {
            throw new Exception("Encryption failed.");
        }

        // Salt, combine IV and encrypted data
        return base64_encode($salt . $iv . $tag . $ciphertext);
    }

    /**
     * Decrypts encrypted data.
     */
    public function decrypt(string $encryptedData): string
    {
        $decoded = base64_decode($encryptedData);
        if ($decoded === false) {
            throw new Exception("Invalid encoded data.");
        }

        // Salt, separate IV and data
        $salt = substr($decoded, 0, 16);
        $iv = substr($decoded, 16, 16);
        $tag = substr($decoded, 32, 16);
        $ciphertext = substr($decoded, 48);

        // Key derivation
        $key = hash_hmac('sha256', $this->encryptionKey . $salt, $this->pepper, true);

        // Decryption with AES-256-GCM
        $data = openssl_decrypt($ciphertext, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);

        if ($data === false) {
            throw new Exception("Decryption failed.");
        }

        return $data;
    }
}

?>