CodeIgniter User Guide Version 1.5.3

Encryption Class

The Encryption Class provides two-way data encryption. It uses a scheme that pre-compiles the message using a randomly hashed bitwise XOR encoding scheme, which is then encrypted using the Mcrypt library. If Mcrypt is not available on your server the encoded message will still provide a reasonable degree of security for encrypted sessions or other such "light" purposes. If Mcrypt is available, you'll effectively end up with a double-encrypted message string, which should provide a very high degree of security.

Setting your Key

A key is a piece of information that controls the cryptographic process and permits an encrypted string to be decoded. In fact, the key you chose will provide the only means to decode data that was encrypted with that key, so not only must you chose the key carefully, you must never change it if you intend use it for persistent data.

It goes without saying that you should guard your key carefully. Should someone gain access to your key, the data will be easily decoded. If your server is not totally under your control it's impossible to ensure key security so you may want to think carefully before using it for anything that requires high security, like storing credit card numbers.

To take maximum advantage of the encryption algorithm, your key should be 32 characters in length (128 bits). The key should be as random a string as you can concoct, with numbers and uppercase and lowercase letters. Your key should not be a simple text string. In order to be cryptographically secure it needs to be as random as possible.

Your key can be either stored in your application/config/config.php, or you can design your own storage mechanism and pass the key dynamically when encoding/decoding.

To save your key to your application/config/config.php, open the file and set:

$config['encryption_key'] = "YOUR KEY";

Message Length

It's important for you to know that the encoded messages the encryption function generates will be approximately 2.6 times longer than the original message. For example, if you encrypt the string "my super secret data", which is 21 characters in length, you'll end up with an encoded string that is roughly 55 characters (we say "roughly" because the encoded string length increments in 64 bit clusters, so it's not exactly linear). Keep this information in mind when selecting your data storage mechanism. Cookies, for example, can only hold 4K of information.

Initializing the Class

Like most other classes in CodeIgniter, the Encryption class is initialized in your controller using the $this->load->library function:


Once loaded, the Encrypt library object will be available using: $this->encrypt


Performs the data encryption and returns it as a string. Example:

$msg = 'My secret message';

$encrypted_string = $this->encrypt->encode($msg);

You can optionally pass your encryption key via the second parameter if you don't want to use the one in your config file:

$msg = 'My secret message';
$key = 'super-secret-key';

$encrypted_string = $this->encrypt->encode($msg, $key);


Decrypts an encoded string. Example:

$encrypted_string = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';

$plaintext_string = $this->encrypt->decode($encrypted_string);


Permits you to set an Mcrypt cipher. By default it uses MCRYPT_RIJNDAEL_256. Example: $this->encrypt->set_cipher('MCRYPT_BLOWFISH');

Please visit for a list of available ciphers.

If you'd like to manually test whether your server supports Mcrypt you can use:

echo ( ! function_exists('mcrypt_encrypt')) ? 'Nope' : 'Yup';


Permits you to set an Mcrypt mode. By default it uses MCRYPT_MODE_ECB. Example: $this->encrypt->set_mode('MCRYPT_MODE_CFB');

Please visit for a list of available modes.


SHA1 encoding function. Provide a string and it will return a 160 bit one way hash. Note: SHA1, just like MD5 is non-decodable. Example:

$hash = $this->encrypt->sha1('Some string');

Many PHP installations have SHA1 support by default so if all you need is to encode a hash it's simpler to use the native function:

$hash = sha1('Some string');

If your server does not support SHA1 you can use the provided function.