Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save stollr/88be863755c82ea579294890767cf248 to your computer and use it in GitHub Desktop.
Save stollr/88be863755c82ea579294890767cf248 to your computer and use it in GitHub Desktop.
Symmetric Encryption and Decryption of large Files with OpenSSL

PHP lacks a build-in function to encrypt and decrypt large files. openssl_encrypt can be used to encrypt strings, but loading a huge file into memory is a bad idea.

So we have to write a userland function doing that. This example uses the symmetric AES-128-CBC algorithm to encrypt smaller chunks of a large file and writes them into another file.

Encrypt Files

 * Define the number of blocks that should be read from the source file for each chunk.
 * For 'AES-128-CBC' each block consist of 16 bytes.
 * So if we read 10,000 blocks we load 160kb into memory. You may adjust this value
 * to read/write shorter or longer chunks.
 define('FILE_ENCRYPTION_BLOCKS', 10000);

 * Encrypt the passed file and saves the result in a new file with ".enc" as suffix.
 * @param string $source Path to file that should be encrypted
 * @param string $key    The key used for the encryption
 * @param string $dest   File name where the encryped file should be written to.
 * @return string|false  Returns the file name that has been created or FALSE if an error occured
function encryptFile($source, $key, $dest)
    $key = substr(sha1($key, true), 0, 16);
    $iv = openssl_random_pseudo_bytes(16);

    $error = false;
    if ($fpOut = fopen($dest, 'w')) {
        // Put the initialzation vector to the beginning of the file
        fwrite($fpOut, $iv);
        if ($fpIn = fopen($source, 'rb')) {
            while (!feof($fpIn)) {
                $plaintext = fread($fpIn, 16 * FILE_ENCRYPTION_BLOCKS);
                $ciphertext = openssl_encrypt($plaintext, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
                // Use the first 16 bytes of the ciphertext as the next initialization vector
                $iv = substr($ciphertext, 0, 16);
                fwrite($fpOut, $ciphertext);
        } else {
            $error = true;
    } else {
        $error = true;

    return $error ? false : $dest;

Decrypt Files

To decrypt files that have been encrypted with the above function you can use this function.

 * Dencrypt the passed file and saves the result in a new file, removing the
 * last 4 characters from file name.
 * @param string $source Path to file that should be decrypted
 * @param string $key    The key used for the decryption (must be the same as for encryption)
 * @param string $dest   File name where the decryped file should be written to.
 * @return string|false  Returns the file name that has been created or FALSE if an error occured
function decryptFile($source, $key, $dest)
    $key = substr(sha1($key, true), 0, 16);

    $error = false;
    if ($fpOut = fopen($dest, 'w')) {
        if ($fpIn = fopen($source, 'rb')) {
            // Get the initialzation vector from the beginning of the file
            $iv = fread($fpIn, 16);
            while (!feof($fpIn)) {
                $ciphertext = fread($fpIn, 16 * (FILE_ENCRYPTION_BLOCKS + 1)); // we have to read one block more for decrypting than for encrypting
                $plaintext = openssl_decrypt($ciphertext, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
                // Use the first 16 bytes of the ciphertext as the next initialization vector
                $iv = substr($ciphertext, 0, 16);
                fwrite($fpOut, $plaintext);
        } else {
            $error = true;
    } else {
        $error = true;

    return $error ? false : $dest;

How to use

If you need a small snippet to see how this works or to test the above functions, look at the following code.

$fileName = __DIR__.'/testfile.txt';
$key = 'my secret key';
file_put_contents($fileName, 'Hello World, here I am.');
encryptFile($fileName, $key, $fileName . '.enc');
decryptFile($fileName . '.enc', $key, $fileName . '.dec');

This will create three files:

  1. testfile.txt with the plain text
  2. testfile.txt.enc with the encrypted file
  3. testfile.txt.dec with the decrypted file. This should have the same content as testfile.txt
Copy link

stollr commented Sep 12, 2017

I published this code first on stackoverflow's documentation project, but after they announced the closing of the project, I moved to this gist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment