If you encrypt your hashes before you store them in a relational database, this creates another layer of defense against password leaking IF AND ONLY IF the database is on separate hardware from the webserver.
If an attacker can compromise your database, it's very likely they can also compromise your filesystem. "SELECT '<?php reverse_shell_code_here();' INTO OUTFILE /var/www/llehs.php;'
and whatnot.
Depends on this:
- https://github.com/defuse/php-encryption/ for authenticated encryption (AES-128-CBC + HMAC-SHA-256)
And one of these two:
In response to http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html