<cms:func 'encrypt-keygen' into='keygen-response' scope='global'>
    <cms:php>
        global $CTX;
        $key = sodium_crypto_secretbox_keygen();
        $hex_key = sodium_bin2hex($key);
        $CTX->set("<cms:show into />", $hex_key, "<cms:show scope />");
    </cms:php>
</cms:func>


<cms:func 'encrypt' string='' into='encrypt-response' scope='global'>
    <cms:php>
        global $CTX;
        $message = "<cms:show string />";
        $key = sodium_hex2bin(K_ENCRYPTION_KEY);
        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
        $ciphertext = sodium_crypto_secretbox($message, $nonce, $key);
        $encrypted = base64_encode($nonce . $ciphertext);
        $CTX->set("<cms:show into />", $encrypted, "<cms:show scope />");
    </cms:php>
</cms:func>


<cms:func 'decrypt' string='' into='decrypt-response' scope='global'>
    <cms:php>
        global $CTX;
        $key = sodium_hex2bin(K_ENCRYPTION_KEY);
        $nonceFromEncrypted = mb_substr(base64_decode("<cms:show string />"), 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
        $ciphertextFromEncrypted = mb_substr(base64_decode("<cms:show string />"), SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
        $decrypted = sodium_crypto_secretbox_open($ciphertextFromEncrypted, $nonceFromEncrypted, $key);
        if ($decrypted === false) {
            throw new Exception('The message was tampered with in transit');
        }
        $CTX->set("<cms:show into />", $decrypted, "<cms:show scope />");
    </cms:php>
</cms:func>