Symmetric encryption via the PHP libsodium extension (sodium_crypto_secretbox).
Recommended driver for encrypting TOTP secrets at rest.
- libsodium extension (bundled with PHP ≥ 7.2, so covered by CakePHP 5)
- A 32-byte (256-bit) secret key
Verify availability:
php -r "var_dump(function_exists('sodium_crypto_secretbox'));"
# bool(true)php -r "echo base64_encode(random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES)), PHP_EOL;"Store the result in your environment — never hardcode it:
VERIFICATION_SODIUM_KEY="VLWUPtYvCE6APk9d+1x6l/jVblP+9uA0fTwREzzfnPs="
// config/verification.php
'crypto' => [
'driver' => 'sodium',
'key' => base64_decode(env('VERIFICATION_SODIUM_KEY', '')),
],See configuration.md for the full crypto reference.
Both drivers are secure. Use SodiumCrypto when libsodium is available (it usually is).
Fall back to AesGcmCrypto only when the host does not have the sodium extension.
See aes_gcm_crypto.md.
| Topic | File |
|---|---|
| README | ../../README.md |
| Verification flows (setup, login, OTP choice) | ../verification_flow.md |
| Installation | ../installation.md |
| Configuration reference | ../configuration.md |
| Environment variables | ../env.md |
| UsersController actions | ../users_controller.md |
| VerificationComponent | ../verification_component.md |
| VerificationHelper | ../verification_helper.md |
| Email verification & Email OTP | ../email_verification.md |
| SMS OTP | ../sms_verification.md |
| TOTP | ../totp_verification.md |
| Enable / disable individual steps | ../verificator_enable_disable.md |
| API reference index | index.md |