Security Tip: Encrypting Environment Files?
Security Tip: Encrypting Environment Files?
[Tip#34] In September, Laravel 9.32 added the ability to encrypt environment files... but do you need to use it?
Greetings my friends! I hope you enjoyed last week’s In Depth, where we did a security review of Steve McDougall’s "Creating a Password Generator" tutorial. I had a lot of fun putting it together, and it’s probably my favourite In Depth so far! Go check it out, if you missed it. 😁
This week I’m hard at work building an incredibly ambitious talk for Laracon EU. I don’t want to give too much away, but it should be a lot of fun for everyone. This week, however, we have another security tip! This one is a tip and an open question about Encrypting Environment Files…
💡 Ensure your apps are secure, book in a Laravel Security Audit and Penetration Test! 🕵️
Looking to learn more?
⏩ Security Tip #17: Don’t Hardcode Admin Emails
▶️ In Depth #6: Timing Attacks
Encrypting Environment Files?
In September, Joe Dixon contributed a new feature to Laravel that adds the ability to encrypt and decrypt `.env` files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.
However, by default this feature will encrypt your local keys stored in `.env`, which opens up a huge risk of you accidently using production keys in local dev!
To avoid this, always include the `--env=production` flag and use a `.env.production` file ignored by `.gitignore`.
You can do this to encrypt `.env.production` safely:
$ php artisan env:encrypt --env=production
INFO Environment successfully encrypted.
Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=
Cipher ................................................ AES-256-CBC
Encrypted file .......................... .env.production.encryptedAnd then decrypt it in your production environment like this to automatically save as `.env`, ready for use:
$ php artisan env:decrypt \
--key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \
--env=production \
--filename=".env"
INFO Environment successfully decrypted.
Decrypted file ............................................... .envBut do you need it?
Before reaching for this helper, I would caution you to stop and consider: Do you really need to do this?
Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.
Are you leaving the unencrypted
`.env.production`file lying around on your local dev environment?Where else are the keys stored?
Where is the encryption key that decrypts the
`.env.production`stored?Who has access to the encryption key and should they be able to access production keys?
Non-Production Usage
While I don’t see much reason to use this in production beyond special cases, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.
I’m not saying it’s a useless or insecure feature, just something to use carefully.
Laravel includes `.env.production` in `.gitignore` by default: https://github.com/laravel/laravel/blob/9.x/.gitignore#L9
Great tips. We liked this feature and wanted it for it's Laravel Vapor support but we were not comfortable committing to GIT (even if it's encrypted...). So we store our ENV file in AWS Param Store. We retrieve it and encrypt it using artisan during deployment for Vapor to use.
Just thought I'd mention that there's a use case without needing to store in GIT.