OstroJS's encryption services provide a straightforward, user-friendly interface for encrypting and decrypting text using AES-256 and AES-128 encryption using OpenSSL. OstroJS's encrypted values are all signed with a message authentication code (MAC) to ensure that the underlying value can't be changed or tampered with once they've been encrypted.


You must specify the key configuration option in your config/app.js configuration file before utilising OstroJS's encrypter. The APP KEY environment variable controls this setting value. To produce the value for this variable, use the node assistant key:generate command, which will utilise NodeJS's secure random bytes generator to create a cryptographically secure key for your application. During the installation of OstroJS, the value of the APP_KEY environment variable is usually generated for you.

Using The Encrypter

Encrypting A Value

The encryptString function of the Crypt façade may be used to encrypt a value. OpenSSL and the AES-256-CBC cypher are used to encrypt all values. A message authentication code is also used to sign all encrypted information (MAC). The embedded message authentication code will prevent malicious users from decrypting any values that have been tampered with:

const Controller = require('~/app/http/controllers/controller')
const Crypt = require('@ostro/support/facades/crypt')
class DigitalOceanTokenController extends Controller { 
     * Store a DigitalOcean API token for the user.
    storeSecret({request}) {
        let user  = await request.user()
        await user.fill({
            'token' : Crypt.encryptString(request.input('token')),

module.exports = DigitalOceanTokenController

Decrypting A Value

The decryptString function supplied by the Crypt façade may be used to decrypt values. An IlluminateContractsEncryptionDecryptException will be raised if the value cannot be correctly decrypted, such as when the message authentication code is invalid:

const Crypt = require('@ostro/support/facades/crypt')
try {
    $decrypted = Crypt.decryptString($encryptedValue);
} catch ($e) {