Reputation: 7485
How to secure app.php encryption key? (Laravel 5)
According to this, Laravel supports encryption and decryption of data. It works well and is easy to set up, but my question is how secure is it really?
What if the encrypted fields in the database are compromised and then the app.php file is also compromised? Then they will have access to the encryption key.
Is there a way we can programmatically secure the encryption key from hackers?
This answer is certainly helpful, but I'm wondering if there is a specific method for Laravel apps. Appreciated!
Upvotes: 0
Views: 3244
Answers (1)
Reputation: 1012
Laravel's encryption is strong, it uses the AES algorithm through MCrypt, which is a well known PHP extension.
If your encrypted fields AND your encryption key falls into wrong hands you're pretty much screwed and there's nothing to do about it.
Fortunately, there are ways to secure the key. First of all, don't you EVER put your key inside the app.php file. Laravel 5 makes it easier than ever to use environments. Put your key inside a .env file and refer to it inside your app.php file.
As those files lay outside the reach of the code you run through your public folder, you're good to go. If someone with bad intentions finds a way to ssh or FTP into your server, this approach won't save you but also no one else will.
I don't know what are you planning on encrypt but on the off chance you are thinking about securing passwords through encryption, please read on.
Upvotes: 5
Related Questions
- Encryption and decryption in Laravel 5
- "No application encryption key has been specified" error even after generating key in laravel?
- Laravel 8 decrypt
- No application encryption key has been specified. Laravel
- How to encrypt laravel 5.2 URL or Routes?
- Laravel decrypt with secret key
- Best practice to store App Key in Laravel
- Is it possible to encrypt data in Laravel with APP_KEY which differ per user?
- Encrypt decrypt Laravel 5.4
- Laravel APP_KEY for long term enrypted data (not only passwords)