souvikbhattacharyas's avatar

Laravel encryption of Data

Hi,

For my current project I have already implemented Passport with Laravel. But during the authentication & authorization I have few questions which were given below.

  1. Every password in laravel is encrypted with bcrypt by default. Now I wan to customize the bcrypt implementation generally and wants to specify the number of rounds of hasing will be available. ALso I would like to do it globaly to avaoid change in password store and fetch. So, is there any way you can suggest or you views.

  2. I want to mask the user address /phone number /email in the database to avoid security breach. So, this can be accessed from the portal only. So, can any one help me to do it globally or model wise.

  3. By default url to get oauth token is '/oauth/token' but is there any way to change or add prefix on it. This is not a important part but good to have.

Please help me out.

0 likes
6 replies
D9705996's avatar

You can change the rounds of hashing by adding the following to you .env (10 is the default)

BCRYPT_ROUNDS=10,

To encrypt you model properties I recommend this package. You just have to use the trait and specify which properties should be encrypted.

https://github.com/Cheezykins/LaravelEncryptable

Not sure on 3 but you might be able to look at the source code for ideas. However I wouldn't change this u less you really need to. I always find that the extra effort rarely outweighs the benefits as laravel defaults are usually very sensible

souvikbhattacharyas's avatar

@D9705996 - Thanks for the answers. Can you clarify #2 a bit.

#1 - R u referring I will add my custom value. I found in hashing.php it's already mentioned. 'bcrypt' => [ 'rounds' => env('BCRYPT_ROUNDS', 10), ],

#2 - Actually my intention is to mask the value.Like for mobile instead of showing the full number it will do XXX4XX0052. So, can you suggest me an approach that it should be done on the DB layers (MySQL) or will do it at time of returning the value with help of resource.

#3 - I will proceed with the existing solution.

souvikbhattacharyas's avatar

@D9705996 - Thanks. But please suggest what approach is better?

  1. Encrypt the data and store it in Database. So, anyone with access to database will also not understand what stored.

  2. Or store in db as plain text and mask during the display??

Actually I heard about the EUROPEAN UNION GDPR rule and trying to be compliiance with that...

D9705996's avatar

GDPR is a massive area and one I am not fully qualified to give guidance on I'm afraid. It would be worth reading this

https://gdpr-info.eu/issues/encryption/

My advice would be to encrypt any personal data in you database so if you database is compromised the data is useless without the encryption key. Masking data is probably a bit pointless as your end user will probably want to see the full data and also data subjects have a right to see any personal data you hold. You might want to look at https://github.com/sander3/laravel-gdpr and https://gdprchecklist.io/

If you are unsure the best advice is to ask a GDPR qualified lasyer/expert.

Please or to participate in this conversation.