Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

FunCoding's avatar

migrating Laravel 5.6 to 11 - dealing with app key and auth alogorithm

Hi Guys. I'm planning a future project where I'm migrating a system from Laravel 5.6 to Laravel 11. My basic approach is to refactor the code into a fresh install of laravel 11, so no problem there. The issues is that the database has been populated with users and the app key rotation doesn't work with older versions, the format of the app key is different. Any ideas on how I can approach this? I need to be able to migrate the app without asking users to recover their passwords.

0 likes
8 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

When migrating from Laravel 5.6 to Laravel 11, you'll need to handle the application key (APP_KEY) and the authentication algorithm changes carefully to ensure that your users' encrypted data and hashed passwords remain valid. Here's a step-by-step approach to handle this:

  1. Backup Everything: Before starting the migration, make sure to backup your application code and database. This is crucial in case you need to revert to the original state.

  2. Update the .env File: Copy the APP_KEY from the old Laravel 5.6 .env file to the new Laravel 11 .env file. This key is used for encryption and should remain the same to be able to decrypt data.

  3. Password Hashing: Laravel uses the bcrypt algorithm for hashing by default. If you haven't changed the default hashing driver in Laravel 5.6, then Laravel 11 should be able to verify the old hashes without any issues, as it still supports bcrypt.

  4. Custom Encryption: If you have used Laravel's encryption mechanisms to encrypt other data in your database, you should ensure that the cipher used (AES-256-CBC in Laravel 5.6) is the same in Laravel 11. You can set the cipher in the config/app.php file if it's different.

  5. Test the Migration: Before going live, test the migration on a staging server. Verify that:

    • Users can log in with their existing passwords.
    • All encrypted data can be decrypted successfully.

  6. Update Dependencies: Ensure that all packages and dependencies are compatible with Laravel 11. You may need to upgrade some packages or find alternatives if they are not compatible with Laravel 11.

  7. Refactor Code: Refactor your code to comply with any new Laravel 11 conventions and features. This includes updating routes, controllers, models, and any other code that has changed between Laravel 5.6 and Laravel 11.

  8. Run Database Migrations: After refactoring the code, run the database migrations to update the database schema if necessary.

  9. Run Tests: Run your test suite to ensure that all parts of the application are working as expected.

  10. Plan for Rollback: In case something goes wrong, have a plan to rollback to the previous version of the application.

Here's an example of how you might check the cipher in your config/app.php:

'cipher' => 'AES-256-CBC',

Make sure that this matches the cipher used in Laravel 5.6 if you have encrypted data.

Remember, it's important to thoroughly test the application after the migration to ensure that all features work as expected and that user data remains intact. If you encounter any specific issues during the migration, you can address them individually.

FunCoding's avatar

I tested this, it didn't work. The format of the app key is different. In laravel 11, the format is

APP_KEY=base64:string/string.

In 5.6, it's:

APP_KEY=string
Snapey's avatar

The app key has nothing to do with the hashing of passwords.

It is only used for hashing of things like cookies.

besides, you can just use the old key.

FunCoding's avatar

It didn't work for me. I tried every variation I could think of with the format. I believe you're incorrect; the app key is used as part of the hashing. I also checked ChatGPT:

Yes, in Laravel, the APP_KEY from your .env file is used as the encryption key for various purposes, including hashing passwords.

Snapey's avatar
Snapey
2 years ago
Best Answer
Level 122

@FunCoding No absolutely not. Don't take anything ChatGPT says as evidence,

If you don't believe me, try these trusted developers https://tighten.com/insights/app-key-and-you/

If authentication is failing (and you have not said whats ACTUALLY broken) then the problem lays elsewhere and not in the APP_KEY

JussiMannisto's avatar

@FunCoding

Yes, in Laravel, the APP_KEY from your .env file is used as the encryption key for various purposes, including hashing passwords.

Like @snapey said, this is completely wrong. You can test this by taking a hashed password from one project, and calling Hash::check() on it in a separate project that has a different APP_KEY. It will return true.

APP_KEY is used in encryption and decryption. Hashing is a different.

FunCoding's avatar

@Snapey Thank you for helping figure out the issue, it was dev vs. live db, not the encryption. I'll be a little more careful trusting ChatGpt in the future. Thanks again.

FunCoding's avatar

Ok, cool, I'll look into this. I figured out one source of my problem was dev db vs. live, so that's my mistake. Apologies if anyone was offended. I recently watched a talk from Tayler from EU Laracon and thought he referenced that, but apparently not. Anyway, thank you for helping me sort this out. Cheers.

Please or to participate in this conversation.