Practical phpxlsx

Protect, encrypt and sign

Introduction

Premium licenses of phpxlsx includes methods to protect, encrypt and sign XLSX files created from scratch either with phpxlsx or MS Excel, LibreOffice or any other program or library.

Protect

A worksheet and its sheets can be protected with a password to prevent users doing changes in an XLSX.

Thanks to the protect method included in CryptoXlsx, XLSX files can be easily protected:

public function protect($source, $target, $options = array())

As a sample, the code to protect the worksheet of an XLSX is:

$xlsx = new CryptoXlsx();

$options = array(
    'password' => 'phpxlsx',
    'scope' => 'worksheet',
);
$xlsx->protect('file.xlsx', 'output.xlsx', $options);

A 'password' value must be set in the $options array.

Encrypt

The goal of encrypting an XLSX file is to avoid unauthorized users accessing the contents of the file.

In order to open an encrypted spreadsheet the user must write the correct password beforehand.

MS Excel files encrypted with the Excel interface, even if preserving the .xlsx extension, use the Binary Compound File standard of Microsoft (although after decryption they are converted to standard Excel files).

The code to encrypt an XLSX is as simple as using the encrypt method included in CryptoXlsx:

$xlsx = new CryptoXlsx();
$xlsx->encrypt('file.xlsx', 'output_encrypted.xlsx', array('password' => 'phpxlsx'));

Whenever the user tries to open the Excel spreadsheet, a password must be prompted in order to read the spreadsheet.

Sign

The Digital Signature feature signs XLSX files.

It is out of the scope of this introduction to explain in detail what a digital signature is (have a look at this Wikipedia article for more detailed information). In a few words, it is a way to prove the "authenticity and integrity of a file": you can be sure that the digitally signed file has been created by the person that says so and that has not been altered afterwards.

In order to digitally sign an XLSX in a web server you need a Digital Certificate emitted by a recognized Certification Authority or CA for short (you may generate your own certificates for testing but it is not recommended to use them unless you are going to distribute your documents on a controlled environment).

$sign = new SignXlsx();

copy('file.xlsx', 'output_signed.xlsx');
$sign->setXlsx('output_signed.xlsx');
$sign->setPrivateKey('key.pem', 'phpxlsx');
$sign->setX509Certificate('cert.pem');
$sign->setSignatureComments('This spreadsheet has been signed.');
$sign->sign();

This method directly signs the XLSX which path has been set in the setXlsx() method. If you wish to maintain an unsigned version of the file, please, first make a copy of it as the previous sample code does.
You need to include the path to your RSA private key in the setPrivateKey() method indicating the password if required.
The setPrivateKey() method only admits pem format. If you want to use pfx format you should first transform it to pem.
You should include the path to your digital certificate in the set X509Certificate() method. In many cases it may be the same as the one to the private key but not necessarily so (it may also be, for example, a .crt file).
You may include in the setSignatureComments() method a string with a brief explanation of your reasons to sign the document .
Be aware that the private key should never be accesible directly via web without posing a critical security risk.

Tips and tricks

Both protect and encrypt methods can be used in the same XLSX file to first protect the file and then encrypt it.

Next - More features