Real AES provides an encryption method plugin for the Encrypt module. This plugin offers authenticated encryption based on AES-128 CBC with a HMAC.

It can also serve as a library loader for the Defuse PHP-encryption library.

Partial API compatibility with the insecure AES module (via a submodule) is provided to act as a replacement for use with other modules. Contrary to AES, this module will not accept keys that are too long or too small.

Defuse PHP-encryption provides authenticated encryption via an Encrypt-then-MAC scheme. AES-128 CBC is the symmetric encryption algorithm, SHA-256 the hash algorithm for the HMAC. IV's are automatically and randomly generated. You do not need to manage the IV separately, as it is included in the ciphertext.

Beware that AES-module compatibility is at API-level only, and then just partial. Existing messages cannot be decrypted, nor is there an upgrade path.

Authenticated encryption

Authenticated encryption ensures data integrity of the ciphertext. When decrypting, integrity is checked first. Further decryption operations will only be executed when the integrity check passes. This prevents certain ciphertext attacks on AES CBC.


  • PHP 5.4 or later with the openssl extension.
  • Drupal 7: A specific version of the Defuse PHP-Encryption library. Download the required version.
    Unzip the archive and install it as php-encryption in your libraries folder (sites/all/libraries/php-encryption).
  • Drupal 8: 2.x version of the Defuse PHP-Encryption library as defined in this module's composer.json file.


  1. Use the Authenticated AES encryption method with the Encrypt module (
  2. If you implement encryption yourself, use this module as a Defuse PHP Encryption library loader. In your own code, include the library with libraries_load('php-encryption'), then call Crypto::encrypt, Crypto::decrypt and Crypto::createNewRandomKey directly.
  3. If necessary, enable the provided AES submodule. This is an API module exposing aes_encrypt and aes_decrypt for partial API compatibility with modules depending on the insecure AES module.

Please see the included README.txt for additional information.


This module was created by LimoenGroen after carefully considering the various encryption modules and libraries available.

The port to Drupal 8 was performed by Sven Decabooter, supported by Acquia.

The library doing the actual work, Defuse PHP encryption, is authored by Taylor Hornby and Scott Arciszewski. Its home is on .

Supporting organizations: 
Development Support

Project information