[openssl-users] Using random bytes only in openssl_encrypt versus real private key

Jim Dutton randomnoise058 at gmail.com
Sun Sep 2 11:48:09 UTC 2018

It appears that the (PHP) openssl_encrypt function will accept a string of
random bytes as the encryption key in place of a generated private key. It
works without any errors or warnings. So does the openssl_decrypt function.

This begs the question: what does openssl_encrypt actually do with just a string
of random bytes passed as the "key". I can't find anything in the OpenSSL or
PHP/openssl source code that clearly identifies any particular action
specifically related to a string of random bytes used as the encryption key,
other than requiring a correct key length.

Does it fall back to some internal default? If so - I cannot find it.

More information about the openssl-users mailing list