There are some huge legacy systems whose dependencies on PHPs' mcrypt are extremely important and vital (including the data storage in database). I need to find a way to maintain this library while upgrading to PHP 7.2 (which already worked fine).
My local test environment is Windows. The live environment is run on CentOS.
Some of the answers I have seen is decrypting and change mcrypt to openssl (I think that's not possible at the moment since there's a lot of data to decrypt).
Another way lights to download a lower PHP version with mcrypt-support, copy the extension and add it to php.ini (I do not even know the folder).
Downgrading PHP to 5.6 it's not suitable due to security issues.
Any light in what could be done in this scenario?
Basically I think you have mentioned all possibilities and you do not have a choice. Do not downgrade to PHP 5.6 this approach has no future.
MCrypt was removed from PHP for one of the main reasons why you want to upgrade PHP: Security. The MCrypt library is not maintained anymore. Therefore installing the MCrypt extension is also a bad idea. But it can be a temporary solution (follow e.g. those instructions https://serverpilot.io/community/articles/how-to-install-the-php-mcrypt-extension.html).
The only good solution is migrating from mcrypt to something else. There are questions regarding this topic on Stackoverflow already (e.g. Upgrading my encryption library from Mcrypt to OpenSSL). Alternativly you could use some encryption library. Migrating a large amount of code/data might be a pain but this is the most future-oriented approach in this case.
Note that no code or information about the mcrypt options/code.
Probably the only problems non-standard null padding used by mcrypt. To decrypt with another implementation that does not support null padding (it is non-standard) just decrypt with no padding and then remove the null padding.
If you also must encrypt the same as mcrypt just add null padding and encrypt with no-padding.
Really consider migrating the current encryption or adding some flag that the encryption is (or not) mcrypt compatible.
