From 8c79776726764b51f7f3a9cc787b806aaf6ad91f Mon Sep 17 00:00:00 2001
From: SunMar <marijn@suninet.org>
Date: Wed, 7 Mar 2018 13:51:13 +0300
Subject: [PATCH 1/3]  Add new option to use \Defuse\Crypto\Key as encryption
 key #812 #814

---
 installation.md | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/installation.md b/installation.md
index 2eb0c359..91eab07b 100755
--- a/installation.md
+++ b/installation.md
@@ -54,8 +54,38 @@ The public key should be distributed to any services (for example resource serve
 
 ## Generating encryption keys
 
-To generate an encryption key for the `AuthorizationServer` run the following command in the terminal:
+The `AuthorizationServer` accepts two kinds of encryption keys, a `string` password or a `\Defuse\Crypto\Key` object from the [Secure PHP Encryption Library](https://github.com/defuse/php-encryption).
+
+### `string` password
+
+A `string` password is of unknown strength, to turn it into a strong encryption key the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation function is used.
+This function derives an encryption key from a password and is slow by design, aimed to reduce vulnerability to brute force attacks.
+
+To generate a `string` password for the `AuthorizationServer` run the following command in the terminal:
 
 ~~~ shell
 php -r 'echo base64_encode(random_bytes(32)), PHP_EOL;'
 ~~~
+
+### `Key` object
+
+A `\Defuse\Crypto\Key` is a strong encryption key. This removes the need to use a slow key derivation function, reducing encryption and decryption times compared to using a `string` password.
+
+A `Key` can be generated with the `generate-defuse-key` script. To generate a `Key` for the `AuthorizationServer` run the following command in the terminal:
+
+~~~ shell
+vendor/bin/generate-defuse-key
+~~~
+
+The `string` can be loaded as a `Key` with `Key::loadFromAsciiSafeString($string)`. For example:
+
+```php
+  use \Defuse\Crypto\Key;
+  $server = new AuthorizationServer(
+      $clientRepository,
+      $accessTokenRepository,
+      $scopeRepository,
+      $privateKeyPath,
+      Key::loadFromAsciiSafeString($encryptionKey)
+);
+```

From d5635cff4df9f7e6628e2e5d5bfe47d81b9d9d32 Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 8 Mar 2018 18:28:51 +0000
Subject: [PATCH 2/3] Minor changes to changelog text

---
 installation.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/installation.md b/installation.md
index 91eab07b..83286be4 100755
--- a/installation.md
+++ b/installation.md
@@ -58,10 +58,10 @@ The `AuthorizationServer` accepts two kinds of encryption keys, a `string` passw
 
 ### `string` password
 
-A `string` password is of unknown strength, to turn it into a strong encryption key the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation function is used.
-This function derives an encryption key from a password and is slow by design, aimed to reduce vulnerability to brute force attacks.
+A `string` password can be of variable strength depending on the password used. To turn it into a strong encryption key the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation function is used.
+This function derives an encryption key from a password and is slow by design. It uses a lot of CPU resources for a fraction of a second, applying key stretching to the password to reduce vulnerability to brute force attacks.
 
-To generate a `string` password for the `AuthorizationServer` run the following command in the terminal:
+To generate a `string` password for the `AuthorizationServer`, you can run the following command in the terminal:
 
 ~~~ shell
 php -r 'echo base64_encode(random_bytes(32)), PHP_EOL;'

From 990ca26047ab69df98852b45fdf10a3b420af312 Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 8 Mar 2018 18:31:26 +0000
Subject: [PATCH 3/3] Simplifying the language

---
 installation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/installation.md b/installation.md
index 83286be4..c96a447c 100755
--- a/installation.md
+++ b/installation.md
@@ -58,7 +58,7 @@ The `AuthorizationServer` accepts two kinds of encryption keys, a `string` passw
 
 ### `string` password
 
-A `string` password can be of variable strength depending on the password used. To turn it into a strong encryption key the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation function is used.
+A `string` password can vary in strength depending on the password chosen. To turn it into a strong encryption key the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation function is used.
 This function derives an encryption key from a password and is slow by design. It uses a lot of CPU resources for a fraction of a second, applying key stretching to the password to reduce vulnerability to brute force attacks.
 
 To generate a `string` password for the `AuthorizationServer`, you can run the following command in the terminal: