Security Tip: Encrypting Environment Files?

A few years ago, Joe Dixon contributed a new feature to Laravel 9 that adds the ability to encrypt and decrypt .env files. The purpose is to allow you to securely manage your app keys/credentials outside your build/deploy pipeline, which can make some pipelines and deployments easier, and lets you track configuration changes securely through version control. It is also fully supported in Laravel Vapor and Forge.

However, by default this feature will encrypt your local keys stored in .env, which opens up a huge risk of you accidently using production keys in local dev!

To avoid this risk, always include the --env=production flag when you use this feature. This tells artisan to use the .env.production file instead of .env.

In addition, this file should also listed in .gitignore so it's ignored by Git. (Laravel sets this by default.)

You can do this to encrypt .env.production safely:

$ php artisan env:encrypt --env=production

  INFO  Environment successfully encrypted.

  Key ........... base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=
  Cipher ................................................ AES-256-CBC
  Encrypted file .......................... .env.production.encrypted

And then decrypt it in your production environment like this to automatically save as .env, ready for use:

$ php artisan env:decrypt \
    --key="base64:dw6+haLHKmMIri1BIh02KALvXKrKo3PWa+dro58iVrw=" \
    --env=production \
    --filename=".env"

   INFO  Environment successfully decrypted.

  Decrypted file ............................................... .env

But do you need it?

Before reaching for this helper, I would caution you to stop and consider:

Do you really need to do this?

Even though the file is encrypted, you’re still passing around and committing credentials, and this always opens up a potential risk.

• Are you leaving the unencrypted .env.production file lying around on your local dev environment?
• Where else are the keys stored?
• Where is the encryption key that decrypts the .env.production stored?
• Who has access to the encryption key and should they be able to access production keys?

Non-Production Usage

While I don’t see much reason to use this in production if you can securely setup your .env file directly, I can see it being useful for syncing local dev keys across a dev team, or passing testing keys into CI/build environments. Sandbox keys could easily be configured and then encrypted and committed, locked to specific code versions to avoid version-hell issues.

I’m not saying it’s a useless or insecure feature, just something to use carefully.

If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.

When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!

You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.