1) The mcrypt module has been deprecated with PHP 7.1.
What does that mean for the encryption filters?
2) deriving the IV from the secret passphrase seems wrong. This leaks information about the passphrase without need.
3) using md5() for this? Really? hash() has been available since PHP 5.1.2.
4) hashing the passphrase twice does not add any security.
5) using substr() on binary data (why, oh why, is true passed to md5()?) might lead to headaches if mbstring.func_overload is used.