The readable secret is only stored on user side for usage in JS code, which sends the secret with a post request to the server
On server side we use a .env variable which contains the encrypted secret
The key itself will be saved in a separate file anywhere on the server. Typically in /usr/local.
composer require defuse/php-encryption vendor/bin/generate-defuse-key
github.com/vlucas/phpdotenv
github.com/defuse/php-encryption
use Defuse\Crypto\Crypto; use Defuse\Crypto\Key; use Dotenv\Dotenv; // Uncomment the following lines to generate a new keyfile content // echo $newEncryptedSecret = Crypto::encrypt('your_secret_phrase', $key); $dotenv = Dotenv::createImmutable(__DIR__ . '/../'); $dotenv->load(); $keyContents = file_get_contents(__DIR__ . '/../crypto/keyfile'); $key = Key::loadFromAsciiSafeString($keyContents); $secret = Crypto::decrypt($_ENV['METIS_SECRET'], $key); // Compare the posted secret with $secret