Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

madsynn's avatar

Need Guidance on ENV encryption.

Laravels docs on this matter are lacking. Can someone walk me through a simple flow with encrypting an env for say staging and deploying it?

need assistance with the following

  • where I put LARAVEL_ENV_ENCRYPTION_KEY ? what file and how do I tell laravel its there for decryption
  • on deploy is it a command i need to run in artisan or circleci runner etc.
  • can I put .env.stage.encrypted in my repo

Any guidance would be greatly appreciated.

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

Encrypting environment variables in Laravel can be done using the encrypt and decrypt functions provided by Laravel's Illuminate\Support\Facades\Crypt facade. Here's a simple flow to encrypt an environment variable for staging:

  1. Generate an encryption key for your staging environment by running the following command in your terminal:
php artisan key:generate --env=staging

This will generate a new key and store it in your .env.staging file.

  1. Set the LARAVEL_ENV_ENCRYPTION_KEY environment variable to the encryption key you just generated. You can do this by adding the following line to your .env.staging file:
LARAVEL_ENV_ENCRYPTION_KEY=your-encryption-key-here
  1. Encrypt the environment variable you want to protect using the encrypt function. For example, if you want to encrypt the DB_PASSWORD variable, you can do the following in your config/database.php file:
'connections' => [
    'mysql' => [
        'driver' => 'mysql',
        'host' => env('DB_HOST', '127.0.0.1'),
        'port' => env('DB_PORT', '3306'),
        'database' => env('DB_DATABASE', 'forge'),
        'username' => env('DB_USERNAME', 'forge'),
        'password' => encrypt(env('DB_PASSWORD')),
        'charset' => 'utf8mb4',
        'collation' => 'utf8mb4_unicode_ci',
        'prefix' => '',
        'strict' => true,
        'engine' => null,
    ],
],
  1. When you deploy your application, you'll need to decrypt the encrypted environment variables. You can do this by adding the following line to your deployment script:
php artisan env:decrypt --env=staging

This will decrypt all the encrypted environment variables in your .env.staging file.

  1. Finally, you can commit the encrypted .env.staging file to your repository. However, make sure to add it to your .gitignore file so that it doesn't get committed accidentally.

Note: It's important to keep your encryption key secret. Make sure to store it securely and don't share it with anyone.

taran2k's avatar

@dkarvounaris This is still very vague and does not really answer OP's question

As for my understanding of it, since the encryption creates a new .env.encrypted file, it is that file that needs to be committed. I am guessing it is to be used in such a way that you keep your regular .env file untouched locally and add to it your encryption key. Then when there are downstream changes to the repository's .env.ecnrypted file, that file should be pulled and decrypted. Then everything is to be manually copied from that decrypted file and pasted into your local .env file, replacing everything but keeping the original LARAVEL_ENV_ENCRYPTION_KEY variable.

Please or to participate in this conversation.