PHP’s mcrypt extension is an binding of libmcrypt – a cryptography library which enable support for a wide variety of algorithms, including DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes.
This article is going to show you why it was deprecated and how to install mcrypt on newer PHP releases.
mcrypt is now deprecated from PHP 7.2
According to PHP manual, mcrypt extension was deprecated in PHP 7.1.0, and completely removed from PHP 7.2.0.
The mcrypt extension has been moved to the PECL repository and is no longer bundled with PHP since PHP 7.2.0. This means PHP 7.2, 7.3, 7.4 and so on won’t have mcrypt out of the box, too.
Why was mcrypt deprecated
The mcrypt extension has been abandonware for nearly a decade now, and was also fairly complex to use. The last update to libmcrypt was in 2007, despite unmerged patches piled up. That fact led security advisors to discourage the use of it in new releases.
mcrypt has therefore been deprecated in favour of OpenSSL, and it will be removed from the core and into PECL in PHP 7.2.
Security experts also advise against doing crypto work in PHP in the first place (which is what mcrypt did). PHP is neither the right tool nor the right environment for cryptography.
Install mcrypt from PECL
PECL is a repository for PHP Extensions, which includes community-maintained and old packages.
You can download and install any PHP extension available from their repository, include
Suppose you’re using Linux, you can easily get
mcrypt from PECL following the steps below.
The instructions below also works for AWS users running on Linux.
Step 1 : Install
sudo apt-get install php-pecl # OR sudo yum install php-pear
Step 2 : Ensure
libmcrypt is installed.
sudo apt-get install libmcrypt-dev libreadline-dev -y
Step 3 : Install the correct mcrypt version using PECL.
The mcrypt library on PECL have several builds for each PHP version.
If you’re running PHP 7.2.x, the correct
mcrypt release version is 1.0.1
pecl install mcrypt-1.0.1
If you’re running PHP 7.4.x, you have to install mcrypt 1.0.2
pecl install mcrypt-1.0.2
Similarly, PHP 8.0 is compatible with mcrypt 1.0.3 and PHP 8.1 is 1.0.4
Step 4 : Enable
mcrypt by adding
echo "extension=mcrypt.so" > /etc/php/7.2/apache2/php.ini echo "extension=mcrypt.so" > /etc/php/7.2/cli/php.ini
The exact location of
php.ini depends on your specific set up, which can be found by running the following command.
php -i | grep 'php.ini'
Step 5 : Verify that
mcrypt is installed and enabled properly.
php -m | grep mcrypt
Step 6 : Restart Nginx or Apache for changes to take effect.
sudo systemctl restart apache2 sudo systemctl restart nginx
Install and enable mcrypt for PHP5
You can still install mcrypt if you’re using PHP version 5.x on Ubuntu/Debian(which is unsecure though), following the instructions below.
Step 1 : Install
sudo apt-get install php5-mcrypt
Step 2 : Symlink
ln -s /etc/php5/conf.d/mcrypt.ini /etc/php5/mods-available/mcrypt.ini
Step 3 : Symlink
php5/fpm/mods-available if you use FastCGI Process Manager (FPM).
ln -s /etc/php5/fpm/conf.d/mcrypt.ini /etc/php5/mods-available/mcrypt.ini
Step 4 : Enable mcrypt by running
Step 5: Restart PHP and nginx/apache for changes to take effect.
sudo systemctl php5-fpm restart sudo systemctl nginx restart sudo systemctl restart apache2
Please note that if mcrypt is already installed, creating a symlink will cause the error below.
ln: failed to create symbolic link ‘/etc/php5/mods-available/mcrypt.ini’: File exists
In this case, skip step 2 and step 3 and proceed to enable the extension.
While you can install and use
mcrypt on newer PHP releases doesn’t mean that you should do that. Instead, consider moving to one of its alternatives below.
- Sodium (available as of PHP 7.2.0)
- mcrypt_compat – PHP 5.x/7.x polyfill for mcrypt extension.