PHPackages grazulex/laravel-configrypt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. grazulex/laravel-configrypt ActiveLibrary[Security](/categories/security) grazulex/laravel-configrypt =========================== Encrypt sensitive values in your Laravel .env file and decrypt them automatically at runtime โ€” safe, seamless, and config-driven. v1.5.0(9mo ago)718[1 issues](https://github.com/Grazulex/laravel-configrypt/issues)MITPHPPHP ^8.3CI passing Since Jul 25Pushed 9mo ago1 watchersCompare [ Source](https://github.com/Grazulex/laravel-configrypt)[ Packagist](https://packagist.org/packages/grazulex/laravel-configrypt)[ Docs](https://github.com/grazulex/laravel-configrypt)[ Fund](https://www.buymeacoffee.com/Grazulex)[ Fund](https://paypal.me/strauven)[ RSS](/packages/grazulex-laravel-configrypt/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (10)Versions (3)Used By (0) Laravel Configrypt ================== [](#laravel-configrypt) [![Laravel Configrypt](new_logo.png)](new_logo.png) Encrypt sensitive values in your Laravel .env file and decrypt them using helper functions that work around Laravel's environment caching limitations. [![Latest Version](https://camo.githubusercontent.com/d332a7cc969a67c55ee2b7b3f38fd2c272c0c0e4cd938181ef03c635a77f34b2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6772617a756c65782f6c61726176656c2d636f6e666967727970742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/grazulex/laravel-configrypt)[![Total Downloads](https://camo.githubusercontent.com/c6711b87c291744241f7b2f67a6bb0d3d0083ad3ebbfa2e121f8acb1d45817c3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6772617a756c65782f6c61726176656c2d636f6e666967727970742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/grazulex/laravel-configrypt)[![License](https://camo.githubusercontent.com/88fd9d313d9f3c9b02378bd69e3052b40bcd77740336ae91336e21d38f9c3fdf/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6772617a756c65782f6c61726176656c2d636f6e666967727970742e7376673f7374796c653d666c61742d737175617265)](https://github.com/Grazulex/laravel-configrypt/blob/main/LICENSE.md)[![PHP Version](https://camo.githubusercontent.com/84426bd99adff998fe2fba8d4423c3f3da7025895344bd5354f6b5e55747b829/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6772617a756c65782f6c61726176656c2d636f6e666967727970742e7376673f7374796c653d666c61742d737175617265)](https://php.net/)[![Laravel Version](https://camo.githubusercontent.com/7592d340e2de1142fa869382b819654d6a0bf7baf8e3c8aded777d652d68c01a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c61726176656c2d31322e782d6666326432303f7374796c653d666c61742d737175617265266c6f676f3d6c61726176656c)](https://laravel.com/)[![Tests](https://camo.githubusercontent.com/ba942eb3c27a6d16cdd79b4ec74a75af8d70ea441eac0af5b850b8d975666002/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6772617a756c65782f6c61726176656c2d636f6e666967727970742f74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/Grazulex/laravel-configrypt/actions)[![Code Style](https://camo.githubusercontent.com/161d70e6871f808e0439b3e7a86540993ae98775540b5a2e78226000e3c419c7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f636f64652532307374796c652d70696e742d3030303030303f7374796c653d666c61742d737175617265266c6f676f3d6c61726176656c)](https://github.com/laravel/pint) ๐Ÿ” Overview ---------- [](#-overview) ๐Ÿ” Laravel Configrypt lets you **encrypt secrets directly in your `.env` file** using a secure key, and decrypt them using reliable helper functions that work around Laravel's environment caching limitations. It protects values like API tokens, database credentials, or secret keys โ€” especially when sharing `.env` files across environments or storing encrypted configs in source control or CI/CD. โœจ Features ---------- [](#-features) - ๐Ÿ” Encrypt `.env` values using AES-256 - ๐Ÿ”“ Reliable decryption with helper functions - ๐Ÿ”ง Seamless Laravel integration via service provider - ๐Ÿ”‘ Custom encryption key support (fallback to `APP_KEY`) - ๐Ÿ›ก๏ธ Secure by default: decryption only happens inside app runtime - โš™๏ธ Configurable via `config/configrypt.php` - ๐Ÿงช Safe for CI/CD, secrets rotation, and external vault injection ๐Ÿ’ก Example --------- [](#-example) In your `.env`: ``` MAIL_PASSWORD=ENC:gk9AvRZgx6Jyds7K2uFctw== ``` In your Laravel code: ``` // Method 1: Use helper functions (recommended) $password = configrypt_env('MAIL_PASSWORD'); // returns decrypted value $password = encrypted_env('MAIL_PASSWORD'); // alias for configrypt_env() // Method 2: Use the Str macro for easy migration use Illuminate\Support\Str; $password = Str::decryptEnv('MAIL_PASSWORD'); // easy search & replace from env() // Method 3: Use the environment facade use LaravelConfigrypt\Facades\ConfigryptEnv; $password = ConfigryptEnv::get('MAIL_PASSWORD'); // returns decrypted value // Method 4: Manual decryption use LaravelConfigrypt\Facades\Configrypt; $rawValue = env('MAIL_PASSWORD'); // still encrypted due to Laravel's env cache $password = Configrypt::decrypt($rawValue); // manual decrypt // Note: env('MAIL_PASSWORD') returns encrypted value due to Laravel's cache limitation ``` โš™๏ธ Configuration ---------------- [](#๏ธ-configuration) Publish the config: ``` php artisan vendor:publish --tag=configrypt-config ``` Result in `config/configrypt.php`: ``` return [ // Use a dedicated key or fallback to APP_KEY 'key' => env('CONFIGRYPT_KEY', env('APP_KEY')), // Prefix used to identify encrypted values 'prefix' => env('CONFIGRYPT_PREFIX', 'ENC:'), // Cipher method 'cipher' => env('CONFIGRYPT_CIPHER', 'AES-256-CBC'), // Auto decrypt (deprecated - has no effect) 'auto_decrypt' => env('CONFIGRYPT_AUTO_DECRYPT', false), ]; ``` ๐Ÿš€ Quick Start ------------- [](#-quick-start) ### 1. Install the package [](#1-install-the-package) ``` composer require grazulex/laravel-configrypt ``` ### 2. Publish configuration (optional) [](#2-publish-configuration-optional) ``` php artisan vendor:publish --tag=configrypt-config ``` ### 3. Encrypt your secrets [](#3-encrypt-your-secrets) ``` php artisan configrypt:encrypt "my-super-secret-password" ``` Output: ``` Encrypted value: ENC:gk9AvRZgx6Jyds7K2uFctw== You can now use this encrypted value in your .env file: SOME_SECRET=ENC:gk9AvRZgx6Jyds7K2uFctw== ``` ### 4. Add to your .env file [](#4-add-to-your-env-file) ``` DB_PASSWORD=ENC:gk9AvRZgx6Jyds7K2uFctw== API_SECRET=ENC:XyZ123AbC456DeF789GhI012JkL== JWT_SECRET=ENC:MnOpQrStUvWxYzAbCdEfGhIjKl== ``` ### 5. Use in your application [](#5-use-in-your-application) **โš ๏ธ Important: Laravel's `env()` function cannot be automatically decrypted due to early caching.** ``` // โŒ This won't work - Laravel caches env() before our package loads $dbPassword = env('DB_PASSWORD'); // Returns "ENC:xyz..." (still encrypted) // โœ… Use our helper functions instead (recommended) $dbPassword = configrypt_env('DB_PASSWORD'); // Returns decrypted value $apiSecret = encrypted_env('API_SECRET'); // Alias for consistency // โœ… Or use the facade for more control use LaravelConfigrypt\Facades\ConfigryptEnv; $dbPassword = ConfigryptEnv::get('DB_PASSWORD'); // โœ… Or use the Str macro for easy migration use Illuminate\Support\Str; $dbPassword = Str::decryptEnv('DB_PASSWORD'); ``` โš ๏ธ Important: Laravel env() Cache Limitation -------------------------------------------- [](#๏ธ-important-laravel-env-cache-limitation) **Laravel caches environment variables very early in the boot process, before service providers load.** This means the standard `env()` function **cannot** be automatically decrypted. ### ๐Ÿ”ง Solution: Use Helper Functions [](#-solution-use-helper-functions) ``` // โŒ This won't work - returns encrypted value $password = env('DB_PASSWORD'); // Still returns "ENC:xyz..." // โœ… These work - return decrypted values $password = configrypt_env('DB_PASSWORD'); $password = encrypted_env('DB_PASSWORD'); $password = ConfigryptEnv::get('DB_PASSWORD'); ``` ### ๐Ÿš€ Quick Migration [](#-quick-migration) Find and replace in your codebase: ``` # Replace env() calls with configrypt_env() find . -name "*.php" -exec sed -i 's/env(/configrypt_env(/g' {} \; # Or use Str::decryptEnv() for easier reversal find . -name "*.php" -exec sed -i 's/env(/Str::decryptEnv(/g' {} \; ``` ๐Ÿ”ง Advanced Usage ---------------- [](#-advanced-usage) ### Using the Facades [](#using-the-facades) ``` use LaravelConfigrypt\Facades\Configrypt; use LaravelConfigrypt\Facades\ConfigryptEnv; // Encrypt a value $encrypted = Configrypt::encrypt('my-secret-value'); // Decrypt a value $decrypted = Configrypt::decrypt('ENC:encrypted-value'); // Check if a value is encrypted $isEncrypted = Configrypt::isEncrypted('ENC:some-value'); // Environment-specific methods $dbPassword = ConfigryptEnv::get('DB_PASSWORD'); $allDecrypted = ConfigryptEnv::getAllDecrypted(); ``` ### Helper Functions [](#helper-functions) ``` // Primary helper functions (recommended approach) $dbPassword = configrypt_env('DB_PASSWORD', 'default-value'); $apiKey = encrypted_env('API_KEY'); // alias for configrypt_env() // Str macro for easy migration from env() calls use Illuminate\Support\Str; $secret = Str::decryptEnv('JWT_SECRET'); ``` ### Dependency Injection [](#dependency-injection) ``` use LaravelConfigrypt\Services\ConfigryptService; use LaravelConfigrypt\Services\EnvironmentDecryptor; class MyController extends Controller { public function __construct( private ConfigryptService $configrypt, private EnvironmentDecryptor $envDecryptor ) { } public function encryptValue(Request $request) { $encrypted = $this->configrypt->encrypt($request->value); return response()->json(['encrypted' => $encrypted]); } public function getDecryptedEnv(string $key) { return $this->envDecryptor->get($key); } } ``` ๐Ÿงช Practical Examples -------------------- [](#-practical-examples) ### Database Configuration [](#database-configuration) ``` # Encrypt your database password DB_PASSWORD=ENC:W3+f/2ZzZfl9KQ== ``` ``` // config/database.php 'mysql' => [ 'driver' => 'mysql', 'password' => configrypt_env('DB_PASSWORD'), // Use helper function ], ``` ### API Keys Management [](#api-keys-management) ``` # Third-party service credentials STRIPE_SECRET=ENC:Nq8j8hlc3PMp9uE= MAILGUN_SECRET=ENC:XYZ123456789abc= AWS_SECRET_ACCESS_KEY=ENC:AbCdEf1234567890= ``` ``` // config/services.php 'stripe' => [ 'secret' => configrypt_env('STRIPE_SECRET'), ], 'mailgun' => [ 'secret' => configrypt_env('MAILGUN_SECRET'), ], // config/filesystems.php 's3' => [ 'driver' => 's3', 'secret' => configrypt_env('AWS_SECRET_ACCESS_KEY'), ], ``` ### Multi-Environment Setup [](#multi-environment-setup) ``` # Development CONFIGRYPT_KEY=dev-key-32-characters-long----- DB_PASSWORD=ENC:dev-encrypted-password # Production CONFIGRYPT_KEY=prod-key-32-characters-long---- DB_PASSWORD=ENC:prod-encrypted-password ``` More examples are available in the **[Examples Wiki](https://github.com/Grazulex/laravel-configrypt/wiki/Examples)**. ๐Ÿ”‘ Changing Keys --------------- [](#-changing-keys) You can define a custom `CONFIGRYPT_KEY` in `.env` to use a dedicated encryption key different from `APP_KEY`. > ๐Ÿ’ก Remember: only encrypted values with the correct key can be decrypted. Keep your key safe! ๐Ÿ›ก๏ธ Security Considerations -------------------------- [](#๏ธ-security-considerations) - **Environment Variable Safety**: Decrypted values never touch disk after load, only stored in runtime memory - **Prefix Protection**: `ENC:` prefix ensures only intended values are decrypted - **Error Handling**: Graceful fallbacks prevent application crashes from decryption failures - **Key Management**: Only encrypted values with the correct key can be decrypted - keep your key safe! - **Production Usage**: Ideal for `.env.staging`, `.env.production`, or vault-managed `.env` overrides - **Team Sharing**: Perfect for sharing `.env` securely in teams or across pipelines ๐Ÿ“š Documentation --------------- [](#-documentation) Comprehensive documentation and examples are available in the **[GitHub Wiki](https://github.com/Grazulex/laravel-configrypt/wiki)**: - **[Installation Guide](https://github.com/Grazulex/laravel-configrypt/wiki/Installation)** - Getting started with Laravel Configrypt - **[Configuration](https://github.com/Grazulex/laravel-configrypt/wiki/Configuration)** - Customizing encryption settings - **[Basic Usage](https://github.com/Grazulex/laravel-configrypt/wiki/Basic-Usage)** - Fundamental encryption/decryption operations - **[Advanced Usage](https://github.com/Grazulex/laravel-configrypt/wiki/Advanced-Usage)** - Complex scenarios and integrations - **[Artisan Commands](https://github.com/Grazulex/laravel-configrypt/wiki/Artisan-Commands)** - Command-line tools reference - **[API Reference](https://github.com/Grazulex/laravel-configrypt/wiki/API-Reference)** - Complete API documentation - **[Security Considerations](https://github.com/Grazulex/laravel-configrypt/wiki/Security)** - Security best practices - **[Troubleshooting](https://github.com/Grazulex/laravel-configrypt/wiki/Troubleshooting)** - Common issues and solutions - **[Examples](https://github.com/Grazulex/laravel-configrypt/wiki/Examples)** - Practical usage examples ๐Ÿ“„ License --------- [](#-license) MIT License โ€” see [LICENSE.md](LICENSE.md) --- Made with ๐Ÿ” for Laravel developers who care about secrets. ### Health Score 35 โ€” LowBetter than 80% of packages Maintenance56 Moderate activity, may be stable Popularity12 Limited adoption so far Community9 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 80% of commits โ€” single point of failure How is this calculated?**Maintenance (25%)** โ€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** โ€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** โ€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** โ€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~18 days Total 2 Last Release 270d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/888105bd54b6b7f7905523a16a1d08eebc2e5d39b19a4c174b5961bb4d52929b?d=identicon)[Grazulex](/maintainers/Grazulex) --- Top Contributors [![Grazulex](https://avatars.githubusercontent.com/u/4521546?v=4)](https://github.com/Grazulex "Grazulex (28 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (7 commits)") --- Tags configlaravelpackagephpsecuritylaravelconfigurationconfigsecurityencryptionenvironmentdevopsenvruntimesecretslaravel12php8.3decryptionci-cdAES-256 ### Code Quality TestsPest Static AnalysisPHPStan, Rector Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/grazulex-laravel-configrypt/health.svg) ``` [![Health](https://phpackages.com/badges/grazulex-laravel-configrypt/health.svg)](https://phpackages.com/packages/grazulex-laravel-configrypt) ``` ### Alternatives [ercsctt/laravel-file-encryption Secure file encryption and decryption for Laravel applications 642.6k](/packages/ercsctt-laravel-file-encryption)[illuminatech/config Provides support for Laravel application runtime configuration managed in persistent storage 14921.0k1](/packages/illuminatech-config) PHPackages ยฉ 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)