Security Tip: Encrypting Environment Files?

[Tip#34] In September, Laravel 9.32 added the ability to encrypt environment files... but do you need to use it?

In September, Joe Dixon contributed a new feature to Laravel that adds the ability to encrypt and decrypt `.env` files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.

However, by default this feature will encrypt your local keys stored in `.env`, which opens up a huge risk of you accidently using production keys in local dev!

To avoid this, always include the `--env=production` flag and use a `.env.production` file ignored by `.gitignore`1.

You can do this to encrypt `.env.production` safely:

$ php artisan env:encrypt --env=production

  INFO  Environment successfully encrypted.

  Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=
  Cipher ................................................ AES-256-CBC
  Encrypted file .......................... .env.production.encrypted

And then decrypt it in your production environment like this to automatically save as `.env`, ready for use:

$ php artisan env:decrypt \
    --key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \
    --env=production \
    --filename=".env"

   INFO  Environment successfully decrypted.

  Decrypted file ............................................... .env

But do you need it?

Before reaching for this helper, I would caution you to stop and consider: Do you really need to do this?

Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.

• Are you leaving the unencrypted `.env.production` file lying around on your local dev environment?

• Where else are the keys stored?

• Where is the encryption key that decrypts the `.env.production` stored?

• Who has access to the encryption key and should they be able to access production keys?

Non-Production Usage

While I don’t see much reason to use this in production beyond special cases, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.

I’m not saying it’s a useless or insecure feature, just something to use carefully.

---

👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️

👉 When was your last security audit or penetration test? Book in a Laravel Security Audit and Penetration Test today! 🕵️

1

Laravel includes `.env.production` in `.gitignore` by default: https://github.com/laravel/laravel/blob/9.x/.gitignore#L9