PHPackages kidfund/laravault - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. kidfund/laravault ActiveLibrary[Security](/categories/security) kidfund/laravault ================= Auto encrypt Eloquent models using Hashicorp Vault 103[2 issues](https://github.com/Kidfund/LaraVault/issues)PHPCI failing Since Oct 10Pushed 6y ago1 watchersCompare [ Source](https://github.com/Kidfund/LaraVault)[ Packagist](https://packagist.org/packages/kidfund/laravault)[ RSS](/packages/kidfund-laravault/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependenciesVersions (1)Used By (0) LaraVault ========= [](#laravault) [![Latest Version on Packagist](https://camo.githubusercontent.com/0432cb8916bef4fb9342505da09d01cdaa66613a89b1c485d25333031e28187f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6b696466756e642f6c6172617661756c742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/kidfund/laravault)[![Software License](https://camo.githubusercontent.com/55c0218c8f8009f06ad4ddae837ddd05301481fcf0dff8e0ed9dadda8780713e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)[![Build Status](https://camo.githubusercontent.com/a614defe37f1393efb5b09ed63ca1d67b7f5f98dd7282d04a1b6a32d9eb0e8ab/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f6b696466756e642f6c6172617661756c742f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/kidfund/laravault)[![Total Downloads](https://camo.githubusercontent.com/6e2d244e413bec80d62f2b9a725f99057403f707559828e3488d067e2aea6939/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6b696466756e642f6c6172617661756c742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/kidfund/laravault) LaraVault uses Hashicorp [Vault](https://www.vaultproject.io/ "Vault") to encrypt/decrypt specific fields on an Eloquent model, and store the encrypted values in your existing database - [LaraVault](#laravault) - [Install](#install) - [Usage](#usage) - [Vault Setup](#vault-setup) - [Vault Process](#vault-process) - [Encryption](#encryption) - [Decryption:](#decryption) - [Laravel Trait](#laravel-trait) - [Notes](#notes) - [Testing](#testing) - [Without a running vault instance](#without-a-running-vault-instance) - [With a running vault instance](#with-a-running-vault-instance) - [Contributing](#contributing) - [Security](#security) - [Credits](#credits) - [License](#license) [![](https://camo.githubusercontent.com/2b2374a4a6f88f2dab069756d9a987724aa607cedb5b403ae0a8e15e1e19f364/687474703a2f2f706f636b657473747564696f2e6a702e73332e616d617a6f6e6177732e636f6d2f6c6f67332f77702d636f6e74656e742f75706c6f6164732f323031352f30372f6861687369636f72702d7661756c652d686561646572322d363730783236322e706e67)](https://www.vaultproject.io/ "Vault Homepage)") [![](https://camo.githubusercontent.com/31961b0df45dccc9e95de7fa57839446f7fa25e929adf83ddfbe716f4ef9dc19/687474703a2f2f74656361646d696e2e6e65742f77702d636f6e74656e742f75706c6f6164732f323031342f31322f6c61726176656c2d6c6f676f2e706e67)](https://laravel.com/ "Laravel Homepage") Install ======= [](#install) Via Composer ``` $ composer require kidfund/laravault ``` Usage ===== [](#usage) Kidfund uses Hashicorp's [Vault](https://www.vaultproject.io/ "Vault") to encrypt user PII. There are 3 main aspects to this: 1. The Vault Server 2. The Vault Client 3. The Laravel model trait that encrypts/decrypts attributes The vault server can be run from the command line. If it is [installed](https://www.vaultproject.io/downloads.html "installed") the server can be started with this command, from the root of the Kidfund project: ``` vault server -config ./vendor/kidfund/thin-transit-client/config/vault.hcl.example ``` Vault Setup ----------- [](#vault-setup) If running vault locally for the first time, it needs to be set up. This is only needed for the first time. After this, Laravel will interact with Vault for you. The only exception to this is unseal. You will need to unseal the vault each time it's started. 1. Leave the window where you started vault open 2. In a new window: `export VAULT_ADDR=http://192.168.20.20:8200` *(This is assuming a vagrant/homestead setup. You may be pointing to localhost)* 3. `vault init` will give you the master key shards for your instance. Hold on to these 4. Also make note of the initial root token. Take it and run this: `export VAULT_TOKEN=[YOUR INITIAL ROOT TOKEN]` 5. `vault unseal` and put in 3 of the master key shards (keep running the command) 6. `vault mount transit` 7. Create the access policy that Laravel will use: `vault policy-write web ./vendor/kidfund/thin-transit-client/config/vault.policy.web.json` 8. Get an access token for Laravel: `vault token-create -orphan -policy="web"` 9. Add this token to `VAULT_TOKEN=` in `.env` Vault Process ------------- [](#vault-process) If a Laravel Model is encrypting a field, these are the general steps taken using Vault's [Transit](https://www.vaultproject.io/docs/secrets/transit/index.html "Transit") backend ### Encryption [](#encryption) 1. Model determines if encryption is needed and sends cleartext to Vault Client 2. Vault client talks to Vault Server and gets ciphertext 3. Vault client hands ciphertext to Laravel Model 4. Laravel saves ciphertext in Laravel's data store ### Decryption: [](#decryption) 1. Model retreives ciphertext from Laravel's database 2. Model determines if decryption is needed and sends ciphertext to Vault Client 3. Vault client talks to Vault Server and gets cleartext 4. Vault client hands cleartext to Laravel Model Laravel Trait ------------- [](#laravel-trait) To enable encryption on a trait: ``` use Kidfund\LaraVault\LaraVault; class User extends Authenticatable { use LaraVault; protected $encrypts = [ 'phone_number', ]; } ``` **Fields using Vault MUST be larger than normal:** The ciphertext is a lot longer than the cleartext ``` $table->string('phone_number', 255) ``` Notes ----- [](#notes) - The master key is unknown to anyone except the operator - A different encryption key is used for each field that is encrypted. Each key is encrypted with the master key - Every row gets it's own context in Vault - Date/Times encrypted by LaraVault **must be strings** Testing ======= [](#testing) Without a running vault instance -------------------------------- [](#without-a-running-vault-instance) ``` $ ./vendor/bin/phpunit --exclude-group EndToEnd ``` With a running vault instance ----------------------------- [](#with-a-running-vault-instance) ``` $ ./vendor/bin/phpunit ``` Contributing ============ [](#contributing) Please see [CONTRIBUTING](CONTRIBUTING.md) and [CONDUCT](CONDUCT.md) for details. Security ======== [](#security) If you discover any security related issues, please email instead of using the issue tracker. Credits ======= [](#credits) - [@timbroder](https://github.com/timbroder) License ======= [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 13 — LowBetter than 1% of packages Maintenance0 Infrequent updates — may be unmaintained Popularity4 Limited adoption so far Community9 Small or concentrated contributor base Maturity35 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/492d66f0a40a30e71ea2dd714818002f6fafca3c2c243dd318aa9684ff982182?d=identicon)[timbroder](/maintainers/timbroder) --- Top Contributors [![timbroder](https://avatars.githubusercontent.com/u/121503?v=4)](https://github.com/timbroder "timbroder (29 commits)") ### Embed Badge ![Health badge](/badges/kidfund-laravault/health.svg) ``` [![Health](https://phpackages.com/badges/kidfund-laravault/health.svg)](https://phpackages.com/packages/kidfund-laravault) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)