Laravel Security In Depth

Share this post

Security Tip: Encrypting Environment Files?

larasec.substack.com

Security Tip: Encrypting Environment Files?

[Tip#34] In September, Laravel 9.32 added the ability to encrypt environment files... but do you need to use it?

Stephen Rees-Carter
Jan 17
5
2
Share this post

Security Tip: Encrypting Environment Files?

larasec.substack.com

Greetings my friends! I hope you enjoyed last week’s In Depth, where we did a security review of Steve McDougall’s "Creating a Password Generator" tutorial. I had a lot of fun putting it together, and it’s probably my favourite In Depth so far! Go check it out, if you missed it. 😁

This week I’m hard at work building an incredibly ambitious talk for Laracon EU. I don’t want to give too much away, but it should be a lot of fun for everyone. This week, however, we have another security tip! This one is a tip and an open question about Encrypting Environment Files…

Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,700 Laravel developers, learning about keeping their apps secure each week.

💡 Ensure your apps are secure, book in a Laravel Security Audit and Penetration Test! 🕵️

Looking to learn more?
⏩ Security Tip #17: Don’t Hardcode Admin Emails
▶️ In Depth #6: Timing Attacks


Encrypting Environment Files?

In September, Joe Dixon contributed a new feature to Laravel that adds the ability to encrypt and decrypt `.env` files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.

However, by default this feature will encrypt your local keys stored in `.env`, which opens up a huge risk of you accidently using production keys in local dev!

To avoid this, always include the `--env=production` flag and use a `.env.production` file ignored by `.gitignore`

1
.

You can do this to encrypt `.env.production` safely:

$ php artisan env:encrypt --env=production

  INFO  Environment successfully encrypted.

  Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=
  Cipher ................................................ AES-256-CBC
  Encrypted file .......................... .env.production.encrypted

And then decrypt it in your production environment like this to automatically save as `.env`, ready for use:

$ php artisan env:decrypt \
    --key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \
    --env=production \
    --filename=".env"

   INFO  Environment successfully decrypted.

  Decrypted file ............................................... .env

But do you need it?

Before reaching for this helper, I would caution you to stop and consider: Do you really need to do this?

Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.

  • Are you leaving the unencrypted `.env.production` file lying around on your local dev environment?

  • Where else are the keys stored?

  • Where is the encryption key that decrypts the `.env.production` stored?

  • Who has access to the encryption key and should they be able to access production keys?

Non-Production Usage

While I don’t see much reason to use this in production beyond special cases, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.

I’m not saying it’s a useless or insecure feature, just something to use carefully.

1

Laravel includes `.env.production` in `.gitignore` by default: https://github.com/laravel/laravel/blob/9.x/.gitignore#L9

2
Share this post

Security Tip: Encrypting Environment Files?

larasec.substack.com
Previous
Next
2 Comments
Jason F
Jan 17Liked by Stephen Rees-Carter

Great tips. We liked this feature and wanted it for it's Laravel Vapor support but we were not comfortable committing to GIT (even if it's encrypted...). So we store our ENV file in AWS Param Store. We retrieve it and encrypt it using artisan during deployment for Vapor to use.

Just thought I'd mention that there's a use case without needing to store in GIT.

Expand full comment
ReplyGift a subscriptionCollapse
1 reply by Stephen Rees-Carter
1 more comment…
TopNewCommunity

No posts

Ready for more?

© 2023 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing