Today’s guest tutorial comes to you courtesy of Mark Eberhardt, the founder of Minion Multimedia, an independent app development studio based in the Pacific Northwest. Mark has been a Corona developer for the last several years, releasing a variety of cross-platform apps for iOS and Android.

When Corona Labs introduced Corona Plugins, I was excited to learn that OpenSSL was one of the first in the initial batch. In this tutorial, I’ll show you how to initialize the appropriate plugin module, then to do some basic encryption and decryption.

Additions to “build.settings”

The first step is to add a couple of lines to the build.settings file to support the OpenSSL plugin:

settings =
   plugins =
      ["plugin.openssl"] = { publisherId = "com.coronalabs", },


Next, you need to require the plugin in the main project file:

local openssl = require( "plugin.openssl" )

Next, we’ll create a cipher object. The method can be a variety of encryption methods. For the sake of this tutorial, we’ll use "aes-256-cbc".

local cipher = openssl.get_cipher ( "aes-256-cbc" )


To encrypt a string of text, we’ll use the following line of code:

local encryptedData = cipher:encrypt ( "text", "key" )

The text is a string that you want encrypted, and key is a string containing a passphrase, which can be anything.

If you want the user to be able to select their own passphrase, a simple native text field could be used to get their input. Additionally, you could have that input hashed using the crypto functions.

local crypto = require( "crypto" )
local key = crypto.digest( crypto.sha256, "plainTextPassPhrase" )

Encoding the text for transport

I also like to apply a base64 encode on the encrypted text. This allows for easier storage or data sharing. To encode the text as base64 is really simple. We enable the mime functions then call b64 to encode the text.

local mime = require ( "mime" )
local encryptedData = mime.b64 ( cipher:encrypt ( "text", "key" ) )

Now the encrypted data is stored as a base64 string.


If we want to decrypt something, it’s just as easy!

local decryptedData = cipher:decrypt ( "text", "key" )

Just replace text with the encrypted text, and key with the the string that was used to encrypt the text with. If the encrypted text is base64 encoded, it’s easy to undo the encoding — just use mime.unb64.

local mime = require ( "mime" )
local decryptedData = cipher:decrypt ( mime.unb64 ( "text" ), "key" )

Overall code

Here’s the overall code up to this point:

local openssl = require( "plugin.openssl" )

local cipher = openssl.get_cipher ( "aes-256-cbc" )
local mime = require ( "mime" )

local encryptedData = mime.b64 ( cipher:encrypt ( "Your Text Here", "Your Key Here" ) )
local decryptedData = cipher:decrypt ( mime.unb64 ( encryptedData ), "Your Key Here" )

print ( "Encrypted Text: " .. encryptedData )
print ( "Decrypted Text: " .. decryptedData )


If you want to take things further and if your web host has the OpenSSL module installed, you can create a PHP script that can encode/decode text sent to/from your app:


$source = 'Your Encrypted Text Here';
$pass = 'Your Key here';
$method = 'aes-256-cbc';

$encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass ) );


This will return a base64-encoded string that can be decoded with OpenSSL — and decryption is just as simple:

$decrypted = openssl_decrypt ( base64_decode ( $encrypted ), $method, $pass );

So the full scope of the php script would be:


$source = 'Your Encrypted Text Here';
$pass = 'Your Key here';
$method = 'aes-256-cbc';

$encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass ) );

$decrypted = openssl_decrypt ( base64_decode ( $encrypted ), $method, $pass );


In practical use, if you’re sending encrypted data to the script, you could replace the $source variable with:

$source = $_POST["yourPostVariable"]

In summary

As you can see, setting up Corona’s OpenSSL plugin is fast and easy. In just a few lines of code, you can be encrypting and decrypting data! For further reference, please review the documentation.

  1. Very interesting! Has anyone tried this out in regard to performance? Kan you expect to encrypt/decrypt kbytes of data in under a second on a device? I have tried another (plain) lua-implemententation of aes and it was not very fast. I think it was the bit manipulation that was the main hindrance.

  2. @Jens encrypt/decrypt does work pretty fast… I have myself tried a lua-implemententation of aes that wasn’t fast… I haven’t done massive text lengths of text->aes encryption. But again before even small text lengths seem to take forever.

  3. Error: Warning: openssl_encrypt() [function.openssl-encrypt]: Using an empty Initialization Vector (iv) is potentially insecure and not recommended

    Workaround here:

    dont forget the 2 further parameters. $iv needs to be sent during decryption too.

    $source = ‘Your Encrypted Text Here’;
    $pass = ‘yourpasswordhere’;
    $method = ‘aes-256-cbc’;
    $raw_output = false;
    $iv = “1721597321565789”;

    $encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass, $raw_output, $iv) );

  4. Thank you for this tutorial

    Writing this line
    local cipher = openssl.get_cipher ( “aes-256-cbc” ), I was wondering which other methods are available? I tried to find a list somewhere, but no such luck.

    It seems from what you say, that other arguments are available:
    “Next, we’ll create a cipher object. The method can be a variety of encryption methods. For the sake of this tutorial, we’ll use “aes-256-cbc”.”

    I need the encryption to use the sha1 algorithm.

  5. Leonardo Borsten says:

    I’m having difficulty using the examples of the PHP decryption script. I am trying this:
    $decrypted = openssl_decrypt ( base64_decode ( $_REQUEST ), $method, $pass );
    I am assuming that the encrypted data is carried in the $_REQUEST. The $_REQUEST appears to be an array. The key part of the array looks like the encrypted data and the value part of the array is empty.

    What is the proper way to receive and parse the posted encryption in PHP?

  6. Pls note that in PHP, openSSL automatically performs base64 on it. So, the example above needs to be updated as such :

    $encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass ) );
    $encrypted = ( openssl_encrypt ( $source, $method, $pass ) );

  7. Thank you for great tutorial!!! Unfortunately I have an error in line

    Can somebody help me to solve this issue?

    Error: “module ‘plugin_openssl’ not found:resource ( does not exist in archive
    no field package.preload[‘plugin_openssl’]
    no file ‘/Users/Apple/Library/Application Support/Corona/Simulator/Plugins/plugin_openssl.lua’
    no file ‘/Users/Apple/Library/Application Support/luaglider2/dev/ProjectBuilds/MyGreatSteppe(Builds)/MyGreatSteppe(default)/MyGreatSteppe/plugin_openssl.lua’
    no file ‘/Applications/CoronaSDK/Corona’
    no file ‘/Users/Apple/Library/Application Support/Corona/Simulator/Plugins/plugin_openssl.dylib’
    no file ‘./plugin_openssl.dylib’
    no file ‘/Applications/CoronaSDK/Corona'”

  8. Hi, I followed step by step this tutorial to use SSL in both local and remote, but the results of encryption are completely different:

    At local:

    local openssl = require “plugin.openssl”

    local cipher = openssl.get_cipher ( “aes-256-cbc” )
    local mime = require ( “mime” )

    local encryptedData = mime.b64 ( cipher:encrypt ( “test”, “test” ) )
    local decryptedData = cipher:decrypt ( mime.unb64 ( encryptedData ), “test” )

    print ( “Encrypted Text: ” .. encryptedData ) — 33zefe1wMVR3XvkzkVBo9Q==
    print ( “Decrypted Text: ” .. decryptedData ) — test

    local testParams = {body = “encryptedData=” .. encryptedData}

    network.request( url .. “test.php”, “POST”, networkListener, testParams)

    At remote:

    Any idea of what I’m doing wrong? :(

      • *Oops, triple post. Sorry about this.

        $source = ‘test’;
        $pass = ‘test’;
        $method = ‘aes-256-cbc’;

        $encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass ) );
        echo “encrypted : ” .$encrypted; // MzN6ZWZlMXdNVlIzWHZremtWQm85UT09

        $decrypted = openssl_decrypt ( base64_decode ( $encrypted ), $method, $pass );
        echo “decrypted : ” .$decrypted; // ‘test’

        $encryptedData = $_POST[‘encryptedData’];
        echo ‘source : ‘ .$encryptedData; // 33zefe1wMVR3XvkzkVBo9Q==

        $decryptedData = openssl_decrypt ( base64_decode ( $encryptedData ), $method, $pass );
        echo “decryptedData : ” .$decryptedData; // ” (empty)

        • I will reply here since it is a typo on the tutorial.

          As @yosu noted, the encrypt/decrypt functions on php already do the base64 encode/decode. So,

          WHERE YOU SEE:
          $encrypted = base64_encode ( openssl_encrypt ( $source, $method, $pass ) );
          SHOUD BE:
          $encrypted = ( openssl_encrypt ( $source, $method, $pass ) );

          Same here for decrypt.
          WHERE YOU SEE:
          $decrypted = openssl_decrypt ( base64_decode ( $encrypted ), $method, $pass );
          SHOUD BE:
          $decrypted = openssl_decrypt ( $encrypted, $method, $pass );

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>