Level 102
Dec 20, 2022
8
Level 5
encrypt .env
I want my .env encrypted - how do I get my Laravel 9 app use the settings - is there some built in mechanism to decrypt .env content ?
Level 5
So how make use of the encrypted value string in settings ?
$encryptedValue = config('MAIL_PASSWORD');
decrypted = Crypt::decryptString($encryptedValue);
Level 102
@anjanesh I assume you didn't read the docs? You make an encrypted version of your env file called .env.encrypted by running the encrypt command. And get it can in your env file unencrypted using the decrypt command. You don't actually read the contents when they are encrypted
Level 5
My server admin is asking how to secure the .env file on the server's app folder.
hmmm read up on the laravel smtp crack... it's gone thermonuclear these past few days...
https://laravel-news.com/laravel-smtp-crack
Level 102
@anjanesh then don't use an env file. Use actual environment variables. If you encrypt it, you will need the decryption key right next to it anyways.
Level 75
@anjanesh I just read that article, and indeed that is a major problem. I have lost count on how many post has come up where the user has laravel setup wrong.
But if setup correctly you should be good to go. But it is probably better to not even use a .env file.
Level 102
Another idea would be to write a deploy script that decrypts the file, caches config, and then deletes the env file. That way all files are in php which cannot be read from a browser
Level 80
@anjanesh Encrypting the .env file on the server is not the solution. You should be using actual environment variables in a server environment instead of .env files.
.env files are just for aiding local development where it’s difficult to set proper environment variables, or you’re working with multiple projects. But on an actual server, you should be setting actual environment variables instead.
1 like
Please or to participate in this conversation.