|string */ public array|string $previousKeys = ''; /** * -------------------------------------------------------------------------- * Encryption Driver to Use * -------------------------------------------------------------------------- * * One of the supported encryption drivers. * * Available drivers: * - OpenSSL * - Sodium */ public string $driver = 'OpenSSL'; /** * -------------------------------------------------------------------------- * SodiumHandler's Padding Length in Bytes * -------------------------------------------------------------------------- * * This is the number of bytes that will be padded to the plaintext message * before it is encrypted. This value should be greater than zero. * * See the user guide for more information on padding. */ public int $blockSize = 16; /** * -------------------------------------------------------------------------- * Encryption digest * -------------------------------------------------------------------------- * * HMAC digest to use, e.g. 'SHA512' or 'SHA256'. Default value is 'SHA512'. */ public string $digest = 'SHA512'; /** * Whether the cipher-text should be raw. If set to false, then it will be base64 encoded. * This setting is only used by OpenSSLHandler. * * Set to false for CI3 Encryption compatibility. */ public bool $rawData = false; /** * Encryption key info. * This setting is only used by OpenSSLHandler. * * Set to 'encryption' for CI3 Encryption compatibility. */ public string $encryptKeyInfo = ''; /** * Authentication key info. * This setting is only used by OpenSSLHandler. * * Set to 'authentication' for CI3 Encryption compatibility. */ public string $authKeyInfo = ''; /** * Cipher to use. * This setting is only used by OpenSSLHandler. * * Set to 'AES-128-CBC' to decrypt encrypted data that encrypted * by CI3 Encryption default configuration. */ public string $cipher = 'AES-256-CTR'; /** * Constructor - loads encryption key from fallback location if not set. * * This supports Docker/container environments where ROOTPATH/.env may be * read-only or ephemeral. The fallback key file is stored in WRITEPATH/config/. */ public function __construct() { parent::__construct(); // If key not set from .env or environment, try WRITEPATH fallback if (empty($this->key) || strlen($this->key) < 64) { $fallbackKey = $this->loadKeyFromWritable(); if ($fallbackKey !== null) { $this->key = $fallbackKey; } } } /** * Loads encryption key from WRITEPATH/config/encryption.key. * * @return string|null The encryption key if found, null otherwise */ private function loadKeyFromWritable(): ?string { $keyFile = WRITEPATH . 'config' . DIRECTORY_SEPARATOR . 'encryption.key'; if (!file_exists($keyFile) || !is_readable($keyFile)) { return null; } $content = file_get_contents($keyFile); if ($content === false) { return null; } $data = json_decode($content, true); if ( !is_array($data) || !isset($data['key']) || !is_string($data['key']) || strlen($data['key']) < 64 ) { return null; } return $data['key']; } }