AES-256 decryption with PHP & Mcrypt

I’ve recently had to decrypt some data from a third party API, encrypted with AES-256.

Thanks to an example implementation only in C# and a quirk of PHP, I stumbled for quite a while.

AES-256 is a derivation of the Rijndael cipher, but the two are not quite the same. Mcrypt only lists MCRYPT_RIJNDAEL_128, MCRYPT_RIJNDAEL_192 and MCRYPT_RIJNDAEL_256 – no AES.

I did try checking out PHP’s OpenSSL ( >=PHP 5.3), where an example on the page lists aes-256-cbc as a supported standard, but despite the documentation and examples listing up to 5 arguments, the last being the crucial (in this implementation) Initialisation Vector, PHP was throwing an error, claiming OpenSSL could take a maximum of 4 arguments, leaving me to have the final argument with the internet and looking like a nutter in the office.

Some feedback from the API developers firmed up what I was dealing with and spurred me to another bout of research

Cipher settings provided by the API Developers

Critically this confirmed I should be using MCRYPT_MODE_CBC

Finally I found this post: AES-256 using PHP-mcrypt which cleared up the crucial issue – AES-256 support IS possible with mcrypt – by using MCRYPT_RIJNDAEL_128.

Oh of course, how obvious. Silly me…

So, here is a very simple implementation of AES-256 as a CodeIgniter class, which outputs the decrypted data to screen:

Install Nginx on EC2 Ubuntu instance

Fire up an EC2 Ubuntu instance


Connect via SSH as user ‘ubuntu’


Add nginx repo

File contents:

Save & close – [Esc] [w] [q] [Enter]


Install dev tools


where xxxxxxxxxxxxxxxx is a 16 digit hex code like 00A6F0A3C300EE8C THEN:


Install build tools for compiling


Create sources dir


Download and extract zlib ( )


Download and extract OpenSSL ( )


Download and extract PCRE ( )


Install dependencies


Download and install Nginx ( )

Note that 2>&1 | tee ~/sources/{file}.log logs the output to a file in your user’s home directory (on EC2 likely /home/ubuntu/) while still outputting to the console.

Now we can compile the installer. Warning – this is one LOOOONG-ass make…

If make fails with:

Nginx needs patching:

This means the lines ending in libssl.a and libcrypto.a need .openssl/lib/ removed from them.
To do this:

Navigate to and edit the code. Save and close. Run make again.

And finally, we can install: