PHPackages                             spatie/laravel-ciphersweet - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. spatie/laravel-ciphersweet

ActiveLibrary[Security](/categories/security)

spatie/laravel-ciphersweet
==========================

Use ciphersweet in your Laravel project

1.7.4(2mo ago)416718.4k—3.4%37[1 PRs](https://github.com/spatie/laravel-ciphersweet/pulls)1MITPHPPHP ^8.1CI passing

Since Jun 30Pushed 2mo ago8 watchersCompare

[ Source](https://github.com/spatie/laravel-ciphersweet)[ Packagist](https://packagist.org/packages/spatie/laravel-ciphersweet)[ Docs](https://github.com/spatie/laravel-ciphersweet)[ RSS](/packages/spatie-laravel-ciphersweet/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (10)Dependencies (26)Versions (25)Used By (1)

Use CipherSweet in your Laravel project
=======================================

[](#use-ciphersweet-in-your-laravel-project)

[![Latest Version on Packagist](https://camo.githubusercontent.com/395ec201199ba871c7bcb8c4821de5089f70239ca6eb377ed8fc8b49db9fa0ba/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7370617469652f6c61726176656c2d63697068657273776565742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-ciphersweet)[![GitHub Tests Action Status](https://camo.githubusercontent.com/99b36e1511eadb27cf5600a32959a3b6ff920907b90d585048b607ca8cf19fc2/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f7370617469652f6c61726176656c2d63697068657273776565742f72756e2d74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473)](https://github.com/spatie/laravel-ciphersweet/actions?query=workflow%3Arun-tests+branch%3Amain)[![GitHub Code Style Action Status](https://camo.githubusercontent.com/827e08b499f97bf1f6ecb15e4b3a0ecefb4adab8a3f1b363aa401d9a94a94a97/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f7370617469652f6c61726176656c2d63697068657273776565742f7068702d63732d66697865722e796d6c3f6272616e63683d6d61696e266c6162656c3d636f64652532307374796c65)](https://github.com/spatie/laravel-ciphersweet/actions?query=workflow%3A%22Check+%26+fix+styling%22+branch%3Amain)[![Total Downloads](https://camo.githubusercontent.com/dac1e98127f9bb78889e30b0fb22dec59d6c509d463779e31107f2813b6bedbf/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7370617469652f6c61726176656c2d63697068657273776565742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-ciphersweet)

In your project, you might store sensitive personal data in your database. Should an unauthorised person get access to your DB, all sensitive can be read which is obviously not good.

To solve this problem, you can encrypt the personal data. This way, unauthorized persons cannot read it, but your application can still decrypt it when you need to display or work with the data.

[CipherSweet](https://ciphersweet.paragonie.com/) is a backend library developed by [Paragon Initiative Enterprises](https://paragonie.com/) for implementing [searchable field-level encryption](https://paragonie.com/blog/2017/05/building-searchable-encrypted-databases-with-php-and-sql). It can encrypt and decrypt values in a very secure way. It is also able to create blind indexes. These indexes can be used to perform searches on encrypted data. The indexes themselves are unreadable by humans.

Our package is a wrapper over CipherSweet, which allows you to easily use it with Laravel's Eloquent models.

Support us
----------

[](#support-us)

[![](https://camo.githubusercontent.com/1963e18e5d57bc24385aec981cce78ab749f3a72b7d8f49ed4544f61056b1d06/68747470733a2f2f6769746875622d6164732e73332e65752d63656e7472616c2d312e616d617a6f6e6177732e636f6d2f6c61726176656c2d63697068657273776565742e6a70673f743d31)](https://spatie.be/github-ad-click/laravel-ciphersweet)

We invest a lot of resources into creating [best in class open source packages](https://spatie.be/open-source). You can support us by [buying one of our paid products](https://spatie.be/open-source/support-us).

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on [our contact page](https://spatie.be/about-us). We publish all received postcards on [our virtual postcard wall](https://spatie.be/open-source/postcards).

Installation
------------

[](#installation)

You can install the package via composer:

```
composer require spatie/laravel-ciphersweet
```

You must publish and run the migrations with:

```
php artisan vendor:publish --tag="ciphersweet-migrations"
php artisan migrate
```

Optionally, you can publish the config file with:

```
php artisan vendor:publish --tag="ciphersweet-config"
```

This is the contents of the config file:

```
return [
    /*
     * This controls which cryptographic backend will be used by CipherSweet.
     * Unless you have specific compliance requirements, you should choose
     * "nacl".
     *
     * Supported: "boring", "fips", "nacl"
     */

    'backend' => env('CIPHERSWEET_BACKEND', 'nacl'),

    /*
     * Select which key provider your application will use. The default option
     * is to read a string literal out of .env, but it's also possible to
     * provide the key in a file or use random keys for testing.
     *
     * Supported: "file", "random", "string"
     */

    'provider' => env('CIPHERSWEET_PROVIDER', 'string'),

    /*
     * Set provider-specific options here. "string" will read the key directly
     * from your .env file. "file" will read the contents of the specified file
     * to use as your key. "custom" points to a factory class that returns a
     * provider from its `__invoke` method. Please see the docs for more details.
     */
    'providers' => [
        'file' => [
            'path' => env('CIPHERSWEET_FILE_PATH'),
        ],
        'string' => [
            'key' => env('CIPHERSWEET_KEY'),
        ],
    ],

    /*
     * The provided code snippet checks whether the $permitEmpty property is set to false
     * for a given field. If it is not set to false, it throws an EmptyFieldException indicating
     * that the field is not defined in the row. This ensures that the code enforces the requirement for
     * the field to have a value and alerts the user if it is empty or undefined.
     * Supported: "true", "false"
     */
    'permit_empty' => env('CIPHERSWEET_PERMIT_EMPTY', FALSE)

];
```

Usage
-----

[](#usage)

Few steps are involved to store encrypted values. Let's go through them.

### 1. Preparing your model and choosing the attributes that should be encrypted

[](#1-preparing-your-model-and-choosing-the-attributes-that-should-be-encrypted)

Add the `CipherSweetEncrypted` interface and `UsesCipherSweet` trait to the model that you want to add encrypted fields to.

You'll need to implement the `configureCipherSweet` method to configure CipherSweet.

```
use Spatie\LaravelCipherSweet\Contracts\CipherSweetEncrypted;
use Spatie\LaravelCipherSweet\Concerns\UsesCipherSweet;
use ParagonIE\CipherSweet\EncryptedRow;
use ParagonIE\CipherSweet\BlindIndex;
use Illuminate\Database\Eloquent\Model;

class User extends Model implements CipherSweetEncrypted
{
    use UsesCipherSweet;

    /**
     * Encrypted Fields
     *
     * Each column that should be encrypted should be added below. Each column
     * in the migration should be a `text` type to store the encrypted value.
     *
     * ```
     * ->addField('column_name')
     * ->addBooleanField('column_name')
     * ->addIntegerField('column_name')
     * ->addTextField('column_name')
     * ```
     *
     * Optional Fields
     *
     * These do not encrypt when NULL is provided as a value.
     * Instead, they become an unencrypted NULL.
     *
     * ```
     * ->addOptionalTextField('column_name')
     * ->addOptionalBooleanField('column_name')
     * ->addOptionalFloatField('column_name')
     * ->addOptionalIntegerField('column_name')
     * ```
     *
     * A JSON array can be encrypted as long as the key structure is defined in
     * a field map. See the docs for details on defining field maps.
     *
     * ```
     * ->addJsonField('column_name', $fieldMap)
     * ```
     *
     * Each field that should be searchable using an exact match needs to be
     * added as a blind index. Partial search is not supported. See the docs
     * for details on bit sizes and how to use compound indexes.
     *
     * ```
     * ->addBlindIndex('column_name', new BlindIndex('column_name_index'))
     * ```
     *
     * @see https://github.com/spatie/laravel-ciphersweet
     * @see https://ciphersweet.paragonie.com/
     * @see https://ciphersweet.paragonie.com/php/blind-index-planning
     * @see https://github.com/paragonie/ciphersweet/blob/master/src/EncryptedRow.php
     *
     * @param EncryptedRow $encryptedRow
     *
     * @return void
     */
    public static function configureCipherSweet(EncryptedRow $encryptedRow): void
    {
        $encryptedRow
            ->addField('email')
            ->addBlindIndex('email', new BlindIndex('email_index'));
    }
}
```

The example above will encrypt the `email` field on the `User` model. It also adds a blind index in the `blind_indexes` table which allows you to search on it.

[Check out the CipherSweet PHP docs](https://ciphersweet.paragonie.com/php) for more information on what is possible.

### 2. Generating the encrypting key

[](#2-generating-the-encrypting-key)

An encryption key is used to encrypt your values. You can generate a new CipherSweet encrypting key using this command:

```
php artisan ciphersweet:generate-key
```

### 3. Updating your .env file

[](#3-updating-your-env-file)

After the key has been generated, you should add the generated CipherSweet key to your .env file.

```
CIPHERSWEET_KEY=

```

The key will be used by your application to manage encrypted values.

### 4. Encrypting model attributes

[](#4-encrypting-model-attributes)

With this in place, you can run this command to encrypt all values:

```
php artisan ciphersweet:encrypt
```

The command will update all the encrypted fields and blind indexes of the model.

If you have a lot of rows, this process can take a long time. The command is restartable: it can be re-run without needing to re-encrypt already rotated keys.

### Searching on blind indexes

[](#searching-on-blind-indexes)

Even though values are encrypted, you can still search them using a blind index. The blind indexes will have been built up when you ran the command to encrypt the model values.

This package provides a `whereBlind` and `orWhereBlind` scope to search on blind indexes.

The first parameter is the column, the second the index name you set up when calling `->addBlindIndex`, the third is the raw value, the package will automatically apply any transformations and hash the value to search on the blind index.

```
$user = User::whereBlind('email', 'email_index', 'rias@spatie.be');
```

### Rotating keys

[](#rotating-keys)

Should you suspect that somebody got a hold of your encrypting key, you can re-encrypt the values. Simply generate another encrypting key, and run the `php artisan ciphersweet:encrypt` command again.

```
php artisan ciphersweet:encrypt "App\User"
```

This will update all the encrypted fields and blind indexes of the model. Once this is done, you can update your environment or config file to use the new key.

Encrypted Unique Validation Rule
--------------------------------

[](#encrypted-unique-validation-rule)

You can validate encrypted fields for uniqueness using `EncryptedUniqueRule`.

When working with encrypted fields and blind indexes, Laravel’s default `Rule::unique()` validation doesn't work out of the box. This package includes a custom rule to check for uniqueness via blind indexes.

### Usage

[](#usage-1)

You may use the rule directly:

```
use Spatie\LaravelCipherSweet\Rules\EncryptedUniqueRule;

$request->validate([
    'email' => [new EncryptedUniqueRule(User::class, 'email_index')],
]);
```

Or, for a more expressive approach, use the macro added to Laravel’s `Rule` class:

```
use Illuminate\Validation\Rule;

$request->validate([
    'email' => [Rule::encryptedUnique(User::class, 'email_index')],
]);
```

> The third parameter of the rule is the database column name. If not provided, it will default to the validation attribute name (i.e., `email` in the example above).

### Ignoring a Record (e.g. on update)

[](#ignoring-a-record-eg-on-update)

You can skip a specific record by using the `ignore()` method:

```
Rule::encryptedUnique(User::class, 'email_index')->ignore($user->id)
```

Or pass the model instance:

```
Rule::encryptedUnique(User::class, 'email_index')->ignoreModel($user)
```

> 💡 Ensure the target model implements `Spatie\LaravelCipherSweet\Contracts\CipherSweetEncrypted` and defines the appropriate blind index.

Implementing a custom backend
-----------------------------

[](#implementing-a-custom-backend)

You can implement a custom backend by setting the `ciphersweet.backend` config value to `custom`.

The `ciphersweet.backend.custom` config value must then be set to an invokeable factory class that returns an implementation of `ParagonIE\CipherSweet\Contract\BackendInterface`

```
class CustomBackendFactory {
    public function __invoke()
    {
        return new CustomBackend();
    }
}

class CustomBackend implements BackendInterface {

    public function encrypt(string $plaintext, SymmetricKey $key, string $aad = ''): string
    {
        // Your logic here.
    }

    public function decrypt(string $ciphertext, SymmetricKey $key, string $aad = ''): string
    {
        // Your logic here.
    }

    public function blindIndexFast(string $plaintext, SymmetricKey $key, ?int $bitLength = null): string
    {
        // Your logic here.
    }

    public function blindIndexSlow(string $plaintext, SymmetricKey $key, ?int $bitLength = null, array $config = []): string
    {
        // Your logic here.
    }

    public function getIndexTypeColumn(string $tableName, string $fieldName, string $indexName): string
    {
        // Your logic here.
    }

    public function deriveKeyFromPassword(string $password, string $salt): SymmetricKey
    {
        // Your logic here.return new SymmetricKey('123');
    }

    public function doStreamDecrypt($inputFP, $outputFP, SymmetricKey $key, int $chunkSize = 8192, ?AAD $aad = null): bool
    {
        // Your logic here.
    }

    public function doStreamEncrypt($inputFP, $outputFP, SymmetricKey $key, int $chunkSize = 8192, string $salt = Constants::DUMMY_SALT, ?AAD $aad = null): bool
    {
        // Your logic here.
    }

    public function getFileEncryptionSaltOffset(): int
    {
        // Your logic here.
    }

    public function getPrefix(): string
    {
        // Your logic here.
    }
}
```

Implementing a custom key provider
----------------------------------

[](#implementing-a-custom-key-provider)

You can implement a custom key provider by setting the `ciphersweet.provider` config value to `custom`.

The `ciphersweet.providers.custom` config value must then be set to an invokeable factory class that returns an implementation of `ParagonIE\CipherSweet\Contract\KeyProviderInterface`

```
class CustomKeyProviderFactory {
    public function __invoke()
    {
        return new CustomKeyProvider();
    }
}

class CustomKeyProvider implements KeyProviderInterface {

    public function getSymmetricKey(): SymmetricKey
    {
        return new SymmetricKey(''); // Your logic here.
    }
}
```

Testing
-------

[](#testing)

```
composer test
```

Changelog
---------

[](#changelog)

Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.

Contributing
------------

[](#contributing)

Please see [CONTRIBUTING](https://github.com/spatie/.github/blob/main/CONTRIBUTING.md) for details.

Security Vulnerabilities
------------------------

[](#security-vulnerabilities)

Please review [our security policy](../../security/policy) on how to report security vulnerabilities.

Credits
-------

[](#credits)

- [Rias Van der Veken](https://github.com/riasvdv)
- [All Contributors](../../contributors)

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

###  Health Score

63

—

FairBetter than 99% of packages

Maintenance86

Actively maintained with recent releases

Popularity58

Moderate usage in the ecosystem

Community29

Small or concentrated contributor base

Maturity66

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~60 days

Recently: every ~76 days

Total

23

Last Release

80d ago

Major Versions

0.0.1 → 1.0.02022-06-30

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/7535935?v=4)[Spatie](/maintainers/spatie)[@spatie](https://github.com/spatie)

---

Top Contributors

[![riasvdv](https://avatars.githubusercontent.com/u/3626559?v=4)](https://github.com/riasvdv "riasvdv (52 commits)")[![freekmurze](https://avatars.githubusercontent.com/u/483853?v=4)](https://github.com/freekmurze "freekmurze (50 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (21 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (11 commits)")[![alissn](https://avatars.githubusercontent.com/u/26966142?v=4)](https://github.com/alissn "alissn (10 commits)")[![aryala7](https://avatars.githubusercontent.com/u/56627259?v=4)](https://github.com/aryala7 "aryala7 (4 commits)")[![laravel-shift](https://avatars.githubusercontent.com/u/15991828?v=4)](https://github.com/laravel-shift "laravel-shift (4 commits)")[![jeffersonmartin](https://avatars.githubusercontent.com/u/2792208?v=4)](https://github.com/jeffersonmartin "jeffersonmartin (3 commits)")[![AlexVanderbist](https://avatars.githubusercontent.com/u/6287961?v=4)](https://github.com/AlexVanderbist "AlexVanderbist (2 commits)")[![gawsoftpl](https://avatars.githubusercontent.com/u/75686400?v=4)](https://github.com/gawsoftpl "gawsoftpl (2 commits)")[![mdpoulter](https://avatars.githubusercontent.com/u/1091085?v=4)](https://github.com/mdpoulter "mdpoulter (2 commits)")[![mgkimsal](https://avatars.githubusercontent.com/u/75154?v=4)](https://github.com/mgkimsal "mgkimsal (2 commits)")[![rjindael](https://avatars.githubusercontent.com/u/59720715?v=4)](https://github.com/rjindael "rjindael (2 commits)")[![raksbisht](https://avatars.githubusercontent.com/u/15016564?v=4)](https://github.com/raksbisht "raksbisht (1 commits)")[![felabrecque](https://avatars.githubusercontent.com/u/165329484?v=4)](https://github.com/felabrecque "felabrecque (1 commits)")[![yormy](https://avatars.githubusercontent.com/u/37929978?v=4)](https://github.com/yormy "yormy (1 commits)")[![RobPrigroup](https://avatars.githubusercontent.com/u/107175024?v=4)](https://github.com/RobPrigroup "RobPrigroup (1 commits)")[![stevenmaguire](https://avatars.githubusercontent.com/u/1851973?v=4)](https://github.com/stevenmaguire "stevenmaguire (1 commits)")[![TeddyBear06](https://avatars.githubusercontent.com/u/1452474?v=4)](https://github.com/TeddyBear06 "TeddyBear06 (1 commits)")[![ur-oot](https://avatars.githubusercontent.com/u/83964076?v=4)](https://github.com/ur-oot "ur-oot (1 commits)")

---

Tags

laravelphpprivacysecurityspatielaravellaravel-ciphersweet

###  Code Quality

TestsPest

Code StylePHP CS Fixer

### Embed Badge

![Health badge](/badges/spatie-laravel-ciphersweet/health.svg)

```
[![Health](https://phpackages.com/badges/spatie-laravel-ciphersweet/health.svg)](https://phpackages.com/packages/spatie-laravel-ciphersweet)
```

###  Alternatives

[spatie/laravel-permission

Permission handling for Laravel 12 and up

12.9k89.8M1.0k](/packages/spatie-laravel-permission)[spatie/laravel-data

Create unified resources and data transfer objects

1.8k28.9M627](/packages/spatie-laravel-data)[spatie/laravel-health

Monitor the health of a Laravel application

86910.0M83](/packages/spatie-laravel-health)[spatie/laravel-csp

Add CSP headers to the responses of a Laravel app

8569.6M19](/packages/spatie-laravel-csp)[spatie/laravel-slack-alerts

Send a message to Slack

3212.6M4](/packages/spatie-laravel-slack-alerts)[spatie/laravel-login-link

Quickly login to your local environment

4381.2M1](/packages/spatie-laravel-login-link)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)