Basics of encryption in Laravel

Leave a Comment / Development, Laravel / By /

Encrypting sensitive data in Laravel (Basic)

When you are handling sensitive data from users, it’s best to be as careful with that data as possible. That’s especially true in the EU, where sensitive personal information is protected by frameworks like the GDPR and NIS2.

This blog post isn’t about those frameworks. Instead, we are going to look at how you can encrypt your sensitive data in your Laravel application. Don’t worry, you might’ve heard that “encryption is hard” from some developers (I sure have) but it’s not that complicated.

Considerations

Before you start encrypting data, there are some things that you need to consider. For starters, if you encrypt your data and lose your encryption key you will not have a good time. Secondly, encrypted data is far larger than the unencrypted equivalent so you need to plan your database accordingly when it comes to storing your sensitive data.

Before you start working on your application, start figuring out what data is important enough to encrypt. This will depend from app to app and will be dedicated by the requirements and what legal territory you’re crossing. Data that might be interesting to encrypt are names, addresses, contact information and IP addresses.

IP addresses? Yes! A German court has decided that IP addresses can be sensitive data when they can be associated with users and other sensitive data. So if you’re logging IP addresses along with other information it might be in your best interest to also encrypt them. But ultimately it’s up to you what data you need to encrypt (or not, because of compliance reasons)

Basic Setup

When you are reading this, there’s not really a way for me to tell where you are in the development process, but one of the first things you want to do is take a look at your database.

Identify all the fields that you want to encrypt and check what type you’re using. Anything Varchar that isn’t big enough might run out of Steam soon. Personally I’m using the type “text” if I’m creating a database, but that’s mostly because it doesn’t really matter for my apps as long as the data fits.

If your Laravel app is up and running, we can immediately move on to the next step and that’s encrypting your data. There’s two ways to do this: the automatic and the manual mode. Let’s take a look at the automatic method first.

Through Model Casting

The automatic method is to encrypt and decrypt the data by using the casting functionality on your model(s).  Add your attributes (columns) to the protected $casts function and add your column with the value encrypted. This will do two things for you:

  • On storing data it will automatically be encrypted using Laravel’s built-in encryption
  • On retrieving the data it’ll automatically be decrypted.
protected $casts = [ 'secret_notes' => 'encrypted', ];

With just a simple line of code you’re encrypting your sensitive data. Now, of course, this doesn’t affect existing data. That’s why it’s important to know how to manually encrypt data too. This is done through the Crypt: helper

Manual encrypting and decrypting

Manually encrypting and decrypting data is fairly straight forward. Like I said, it’s achieved through the Crypt:: helper.

  • To encrypt: Crypt::encryptString(“your value”) (this can also just be a variable
  • To decrypt: Crypt::decryptString(“your value”) (or a variable).

Knowing this, you can encrypt your data if, for example, you want to start using encryption and have to loop over your database. Personally I’ve never done this, though. I’m not a developer guru, so always take what I say with a pinch of salt, but if you’re unsure I would try encrypting the data and storing it in another table (or maybe a new column) and then test if the data decrypts properly. But that’s just me.

But is it safe?!

Well, it sure beats *not encrypting the data at all*, that’s for sure.

But yes, this encryption method is perfectly safe and secure. The encryption technology in Laravel uses OpenSSL and AES-256-CBC which are modern industry standard approaches. And it’s surprisingly simple to setup.

One of the first things you do when you start working on your project is setting up an App Key for your project. You can find it in your .env file as app_key. This key is used to encrypt your data.

It’s virtually impossible to crack the encryption that is used by Laravel. The only attack vector on your data that is more or less realistic, would be that:

  • Your .env file gets nuked out of orbit
  • Someone gets access to your key and steals it.

Which is a valid concern, but let’s be real. The moment someone gets access to your .env file your entire app is compromised and your sensitive data is the least of your concerns as you’ll likely won’t be able to access it anymore.

Conclusion

If you’re building in Laravel or considering building an app, there’s no excuse not to implement encryption in your application. The extra line per model or the extra Crypt::encryptString for your values doesn’t outweigh the pain in the butt the authorities will be if the sensitive data you’re storing leaks on the internet.

Leave a Reply

Discover more from PowerUser Guide

Subscribe now to keep reading and get access to the full archive.

Continue reading