Security Tip: Encrypting Environment Files?
[Tip#34] In September, Laravel 9.32 added the ability to encrypt environment files... but do you need to use it?
In September, Joe Dixon contributed a new feature to Laravel that adds the ability to encrypt and decrypt `.env`
files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.
However, by default this feature will encrypt your local keys stored in `.env`
, which opens up a huge risk of you accidently using production keys in local dev!
To avoid this, always include the `--env=production`
flag and use a `.env.production`
file ignored by `.gitignore`1
.
You can do this to encrypt `.env.production`
safely:
$ php artisan env:encrypt --env=production
INFO Environment successfully encrypted.
Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=
Cipher ................................................ AES-256-CBC
Encrypted file .......................... .env.production.encrypted
And then decrypt it in your production environment like this to automatically save as `.env`
, ready for use:
$ php artisan env:decrypt \
--key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \
--env=production \
--filename=".env"
INFO Environment successfully decrypted.
Decrypted file ............................................... .env
But do you need it?
Before reaching for this helper, I would caution you to stop and consider: Do you really need to do this?
Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.
Are you leaving the unencrypted
`.env.production`
file lying around on your local dev environment?Where else are the keys stored?
Where is the encryption key that decrypts the
`.env.production`
stored?Who has access to the encryption key and should they be able to access production keys?
Non-Production Usage
While I don’t see much reason to use this in production beyond special cases, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.
I’m not saying it’s a useless or insecure feature, just something to use carefully.
👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️
👉 When was your last security audit or penetration test? Book in a Laravel Security Audit and Penetration Test today! 🕵️
Laravel includes `.env.production`
in `.gitignore`
by default: https://github.com/laravel/laravel/blob/9.x/.gitignore#L9
Great tips. We liked this feature and wanted it for it's Laravel Vapor support but we were not comfortable committing to GIT (even if it's encrypted...). So we store our ENV file in AWS Param Store. We retrieve it and encrypt it using artisan during deployment for Vapor to use.
Just thought I'd mention that there's a use case without needing to store in GIT.