OstroJS's encryption services provide a straightforward, user-friendly interface for encrypting and decrypting text using AES-256 and AES-128 encryption using OpenSSL. OstroJS's encrypted values are all signed with a message authentication code (MAC) to ensure that the underlying value can't be changed or tampered with once they've been encrypted.


You must specify the key configuration option in your config/app.js configuration file before utilising OstroJS's encrypter. The APP KEY environment variable controls this setting value. To produce the value for this variable, use the node assistant key:generate command, which will utilise NodeJS's secure random bytes generator to create a cryptographically secure key for your application. During the installation of OstroJS, the value of the APP_KEY environment variable is usually generated for you.

Using The Encrypter

Encrypting A Value

The encryptString function of the Crypt fa├žade may be used to encrypt a value. OpenSSL and the AES-256-CBC cypher are used to encrypt all values. A message authentication code is also used to sign all encrypted information (MAC). The embedded message authentication code will prevent malicious users from decrypting any values that have been tampered with:

const Controller = require('~/app/http/controllers/controller')
const Crypt = require('@ostro/support/facades/crypt')
class DigitalOceanTokenController extends Controller { 
     * Store a DigitalOcean API token for the user.
    storeSecret({request}) {
        let user  = await request.user()
        await user.fill({
            'token' : Crypt.encryptString(request.input('token')),

module.exports = DigitalOceanTokenController

Decrypting A Value

The decryptString function supplied by the Crypt fa├žade may be used to decrypt values. An IlluminateContractsEncryptionDecryptException will be raised if the value cannot be correctly decrypted, such as when the message authentication code is invalid:

const Crypt = require('@ostro/support/facadescrypt')
try {
    $decrypted = Crypt.decryptString($encryptedValue);
} catch ($e) {