PHPackages techsemicolon/laravel-app-key-rotation - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. techsemicolon/laravel-app-key-rotation ActiveLibrary[Security](/categories/security) techsemicolon/laravel-app-key-rotation ====================================== A helper library to re-encrypt the existing encrypted data when you rotate your Laravel APP\_KEY 1.0.0(6y ago)27172[1 PRs](https://github.com/techsemicolon/laravel-app-key-rotation/pulls)MITPHPPHP >=5.4.0 Since Jun 14Pushed 5y agoCompare [ Source](https://github.com/techsemicolon/laravel-app-key-rotation)[ Packagist](https://packagist.org/packages/techsemicolon/laravel-app-key-rotation)[ RSS](/packages/techsemicolon-laravel-app-key-rotation/feed)WikiDiscussions master Synced yesterday READMEChangelogDependencies (1)Versions (2)Used By (0) Laravel Re-encrypt after APP\_KEY rotation ========================================== [](#laravel-re-encrypt-after-app_key-rotation) A helper library to re-encrypt the existing encrypted data when you rotate your Laravel APP\_KEY [![Laravel](laravel-logo.png)](laravel-logo.png) The APP\_KEY is used to keep your user sessions and other encrypted data secure! If the application key is not set, your user sessions and other encrypted data will not be secure. Believe it or not it is a big security risk. To give you more specific context, earlier laravel had a security issue : If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application. Hence, it is important to rotatate your APP\_KEY in frequent invertals. [`Know More`](https://techsemicolon.github.io/blog/2019/06/10/aws-update-ami-systems-manager-automation/) How can you use this package : ------------------------------ [](#how-can-you-use-this-package-) When APP\_KEY is changed in an existing app, any data in your app which you have encrypted using Crypt facade or encrypt() helper function will no longer be decrypted as the encryption uses the APP\_KEY. So when you run `php artisan key:generate` to have a new key as part of key rotation, you need to first decrypt the old encrypted using old APP\_KEY and then re-encrypt using newly generated APP\_KEY. Installation : -------------- [](#installation-) ``` composer require techsemicolon/laravel-app-key-rotation ``` Usage : ------- [](#usage-) You can instantiate the `ReEncrypter` class by passing old APP\_KEY. For that it is important for you to keep your old APP\_KEY safe for reference before you rotate APP\_KEY to a new one. ``` // This is your old APP_KEY $oldAppKey = "your_old_app_key"; // Instantiate ReEncrypter $eeEncrypter = new ReEncrypter($oldAppKey); // Re-cncrypt the oldEncryptedPayload value $newEncryptedPayload = $eeEncrypter->encrypt($oldEncryptedPayload); ``` \##Suggestion : When you update your database by new encrypted payload values, make sure you have another column in which you store the old encrypted payload value as a backup. This is to prevent any data loss during the key rotation. \##Example : Let's imagine we have a column called `bank_account_number` in `users` table which is stored as encrypted string. We have another column in the same table as `old_bank_account_number` to store old encrypted payload as backup. We can create a command `php artisan encryption:rotate` : ```