How to Encrypt Database Fields in Laravel?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys today i want to quickly demonstrate your database encryption in laravel from time to time i get that question in comments on youtube or twitter how to encrypt the database fields maybe you have some sensitive data that you don't want people to get access to even if they hack into your database and get the database out some fields would be encrypted not readable which means they wouldn't actually leak to outside world so in laravel eloquent documentation there's a section called encrypted casting which is really short actually so encrypted is one of the casting features and you can read more about encryption and how it works in a separate documentation page but it doesn't clearly show where to add it and how it works historically before laravel 8 there were packages to do that one of the more popular ones is laravel db encrypter which works in a way that you just define what fields in what eloquent model need to be encrypted and then when you save the data it's encrypted in the database but when you get the data it's decrypted from the database and in laravel 8.12 there was this pull request merged in october 2020 jason mccreary created this as a part of laravel core so to encrypt some field in your eloquent model all you need to do and i have a demo project here is add this so in the cast of eloquent model you just add encrypted and let me show an example of this demo project based on passport number field in the users table this is quite sensitive data and what i did is add that passport number to the migrations an important thing it should be text not a string because encryption may make that value really long so it should be text not a string then in the register blade i added passport number then in registered users controller it's based on laravel breeze by the way i added here passport number and at this point it will be encrypted so password is encrypted with hashmake by default but passport number is encrypted because it is added to be encrypted here also i have added it to hidden property of default user model so it wouldn't be accidentally returned in apis and of course it is fillable now what happens if i register here i am in my demo project so register form there is a passport number field and i will use fake filler chrome extension to fill that in for example let it be any number with passport number 501 for example we register and then in the database we have user stable and passport number looks like this it's even longer actually but it's actually encrypted so it's not 501 but if i want to show that field somewhere of course you need to be really careful if it's sensitive data you shouldn't just show it on the page for everyone but just as an example in the index blade i have a separate user controller so there's a table of username email and passport number so i didn't do any decryption or any accessors or mutators or anything i just call that field as it is and if i get to that user's table passport number is actually shown as decrypted so on the database level it is encrypted but laravel takes care kind of like accessors and mutators to encrypt and decrypt it from the database so even if someone steals your database itself they wouldn't be able to decrypt it unless they have one more parameter stolen which is in env file this one app key app key is a key for making the encryption and decryption work by default so you should protect it from being stolen as actually any parameter in env file from your production server because it would be a huge security issue and finally in this video let's talk about what to encrypt so as you may imagine the fields that is encrypted and decrypted is not really easy to query to sort by to search for so for example if you want to encrypt the user email then by default the login wouldn't work so if you encrypt the user email and that email would be saved in a similar format as this one by default then auth login will do userwear email something and would fail and it was really well phrased on a pull request itself by json the last comment is by richard stiles on exactly the same situation where someone wanted to encrypt the user email and then login actually doesn't work of course it doesn't work because it's encrypted and what richard stated in his comment and what he advised is to encrypt what is absolutely necessary for details like social security number or national insurance number or as in my case passport number so you should look at the encryption of the fields is something like you store the field in the safe box somewhere in the deposit box or whatever you call it and you don't take it out unless absolutely necessary so you don't work with that field on a basic operation like table like sorting like view something you just store it and kind of forget about it unless you need it so hope it clarifies how encryption and decryption works in laravel what is your experience have you ever encrypted or decrypted some fields did it work for you or maybe you regretted something afterwards share in the comments below and if you want more tips on database structure for example in my list of courses on teachable i have one course that i want to emphasize is how to structure databases in laravel it's a two-hour course based on laravel 8 and it talks about relationships about fields about how to structure tables its performance and stuff like that so you can enroll in that course at laravel daily.teachable.com or enroll in all of my courses by purchasing a yearly membership and you will support this channel by doing that that's it for this time and see you guys in other videos

Info

Channel: Laravel Daily

Views: 22,253

Rating: undefined out of 5

Keywords:

Id: a6V5Cxk03rk

Channel Id: undefined

Length: 5min 28sec (328 seconds)

Published: Mon Nov 22 2021