Am I also vulnerable to this malware?

@Tray2 thank you.

Yes they work with Windows Servers mostly so they setup a Windows Server with IIS for us. Assuming they do not want to take the risk and make us remove the passwords from the .env - what options do I have?

I may have done it wrong that I did not encrypt the .env in production because it's not a server that's facing the outside world but now they are stricter and they don't care.

Will encrypting the .env do any better? Also, do I have any other option if I'm told I must remove the passwords from the .env (even if encrypted)? The passwords are changing daily so I need a way to read the new passwords from a secure location though I'm not sure where.

I know Windows has Credential Manager - is it possible to store passwords there, and read from there from Laravel? Or I should do something else?

@Ben Taylor Nope, can't.

By the way, if I use the .env.encrypted. How can I use it then? It needs to be decrypted. but if I use the config() helpers to read from the .env, will it also decrypt it on the fly?

@amitsolanki24_ thank you, yes I now plan to encrypt the .env file. But, if I'm using config() helpers around the code, will it automatically decrypt the .env file if the windows environment variable LARAVEL_ENV_ENCRYPTION_KEY is present?

I mean besides encrypting the .env and then storing the decryption key in the Windows ENV variables, is there anything else I need to do in order for Laravel to decrypt the .env whenever needed?

@Ligonsker I haven't try this nut according yo me you don't have to do anything else

You can also check below links for more help.

https://stackoverflow.com/questions/62245142/is-it-possible-to-encrypt-the-information-in-env-file-in-laravel

https://blog.codewithdary.com/encrypt-and-decrypt-your-env-file-in-laravel

@Snapey thank you! exactly my thoughts! Then I am safe. But also, there are 2 options from what I understand right now: Place in the "real" env, or, encrypt the .env and have a .env.encrypted file.

For the second option there's something I don't know yet - assuming my Laravel project reads from the .env file using the config() helper in several places. How does it know to decrypt it? because from what I saw it says to explicitly use decrypt. So I am not sure how to use the encrypted env file?

@Ligonsker i offered you a third option

@Snapey To trust my colleagues? 😝

@Ligonsker no

If you are banned from passwords in .env because your security team don't understand the threat then you can move these to 'real' environment variables

You already indicated you know how to set environment variables such as LARAVEL_ENV_ENCRYPTION_KEY, so put your passwords in real Environment variables and remove them from your env file

The env helper you use in your config files knows to automatically merge environment variables with values from your env file

@Snapey Oh yes this part I understand, but, if I did want to use the encrypted version of the .env instead of real environment variables, is it possible to use it? or the encrypted version is only for source control so that you can upload it there? And not for use with config() and so on?

@Ligonsker just for safe storage, not use.

@Snapey Got it, thank you! And, placing them in the Windows Server environment variables - is that a good practice? like:

"DB_1_PASSWORD" with the plain text password value?

Well, it probably is good, because if someone has access to these variables it means he already got into the server 😅

@Ligonsker main laravel including env should be out of web folder all together.

But many past discussions on this.