Data protection SDK for PHP — format-preserving encryption (FF1/FF3), data masking, and hashing.
composer require cyphera/cyphera
Requires ext-openssl and ext-gmp.
use Cyphera\Cyphera;
// Auto-discover: checks CYPHERA_POLICY_FILE env, ./cyphera.json, /etc/cyphera/cyphera.json
$c = Cyphera::load();
// Or load from a specific file
$c = Cyphera::fromFile('./config/cyphera.json');
// Or inline config
$c = Cyphera::fromConfig([
'policies' => [
'ssn' => ['engine' => 'ff1', 'key_ref' => 'my-key', 'tag' => 'T01'],
],
'keys' => [
'my-key' => ['material' => '2B7E151628AED2A6ABF7158809CF4F3C'],
],
]);
// Protect
$protected = $c->protect('123-45-6789', 'ssn');
// → "T01i6J-xF-07pX" (tagged, dashes preserved)
// Access (tag-based, no policy name needed)
$accessed = $c->access($protected);
// → "123-45-6789"| Engine | Reversible | Description |
|---|---|---|
ff1 |
Yes | NIST SP 800-38G FF1 format-preserving encryption |
ff3 |
Yes | NIST SP 800-38G Rev 1 FF3-1 format-preserving encryption |
mask |
No | Simple pattern masking (last4, first1, full, etc.) |
hash |
No | SHA-256/384/512, HMAC when key provided |
{
"policies": {
"ssn": { "engine": "ff1", "key_ref": "my-key", "tag": "T01" },
"cc": { "engine": "ff1", "key_ref": "my-key", "tag": "T02" },
"ssn_mask": { "engine": "mask", "pattern": "last4", "tag_enabled": false }
},
"keys": {
"my-key": { "material": "2B7E151628AED2A6ABF7158809CF4F3C" }
}
}All seven SDKs produce identical output for the same inputs:
Input: 123-45-6789
Java: T01i6J-xF-07pX
Rust: T01i6J-xF-07pX
Node: T01i6J-xF-07pX
Python: T01i6J-xF-07pX
Go: T01i6J-xF-07pX
.NET: T01i6J-xF-07pX
PHP: T01i6J-xF-07pX
Alpha. API is unstable. Cross-language test vectors validated against Java, Rust, Node, Python, Go, and .NET implementations.
Apache 2.0 — Copyright 2026 Horizon Digital Engineering LLC