Security Tip: Encrypting Environment Files?
[Tip#34] In September, Laravel 9.32 added the ability to encrypt environment files... but do you need to use it?
Greetings my friends! I hope you enjoyed last week’s In Depth, where we did a security review of Steve McDougall’s "Creating a Password Generator" tutorial. I had a lot of fun putting it together, and it’s probably my favourite In Depth so far! Go check it out, if you missed it. 😁
This week I’m hard at work building an incredibly ambitious talk for Laracon EU. I don’t want to give too much away, but it should be a lot of fun for everyone. This week, however, we have another security tip! This one is a tip and an open question about Encrypting Environment Files…
Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,700 Laravel developers, learning about keeping their apps secure each week.
Encrypting Environment Files?
In September, Joe Dixon contributed a new feature to Laravel that adds the ability to encrypt and decrypt
`.env` files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.
However, by default this feature will encrypt your local keys stored in
`.env`, which opens up a huge risk of you accidently using production keys in local dev!
To avoid this, always include the
`--env=production` flag and use a
`.env.production` file ignored by
You can do this to encrypt
$ php artisan env:encrypt --env=production INFO Environment successfully encrypted. Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw= Cipher ................................................ AES-256-CBC Encrypted file .......................... .env.production.encrypted
And then decrypt it in your production environment like this to automatically save as
`.env`, ready for use:
$ php artisan env:decrypt \ --key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \ --env=production \ --filename=".env" INFO Environment successfully decrypted. Decrypted file ............................................... .env
But do you need it?
Before reaching for this helper, I would caution you to stop and consider: Do you really need to do this?
Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.
Are you leaving the unencrypted
`.env.production`file lying around on your local dev environment?
Where else are the keys stored?
Where is the encryption key that decrypts the
Who has access to the encryption key and should they be able to access production keys?
While I don’t see much reason to use this in production beyond special cases, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.
I’m not saying it’s a useless or insecure feature, just something to use carefully.
`.gitignore` by default: https://github.com/laravel/laravel/blob/9.x/.gitignore#L9