When we put laravel project to localhost. Anyone can view our project .env file and they can view our database password DB_USERNAME= DB_PASSWORD= how can we encrypt it??
You can just set a encrypted string as password in the '.env' file and decrypt it in your code. But I dont think that it will increase the security level on your system. Much more important is set the right configuration on the server (permissions, file locations, etc.).
You can access environment variables using $_SERVER , $_ENV (PHP super global variables) and env helper and after this encrypt your environment variables value and decrypt when assign value to a variable . For more information laravel docs
If you have not enough time than you also find this package to make it easy to add encrypted environment variables BaglerIT package
This worked for me:
In your database.php:
use Illuminate\Encryption\Encrypter;
$key = 'a3c4b614a1f072e0f968c2712a36323f'; //A md5 hash (length 32)
$encrypter = new Encrypter($key, 'AES-256-CBC');
//encrypt test:
//$str = $encrypter->encryptString('your_password');
//die($str);
...
'connections' => [
'oracle' => [
...
'password' => $encrypter->decryptString(env('DB_PASSWORD')),
...
],
...
then you can set DB_PASSWORD in your .env file encrypted as this:
// Code to get the encrypted value
use Illuminate\Encryption\Encrypter;
$key = 'a3c4b614a1f072e0f968c2712a36323f'; // same key is used for decrypt
$encrypter = new Encrypter($key, 'AES-256-CBC'); // same key and cipher used for decrypt
$str = $encrypter->encryptString('your_password'); // <- THIS IS YOUR DB_PASSWORD VALUE
Related
from laravel docs
Application Key The next thing you should do after installing Laravel
is set your application key to a random string. If you installed
Laravel via Composer or the Laravel installer, this key has already
been set for you by the php artisan key:generate command.
Typically, this string should be 32 characters long. The key can be
set in the .env environment file. If you have not renamed the
.env.example file to .env, you should do that now. If the application
key is not set, your user sessions and other encrypted data will not
be secure!
What I know about application key is: If the application key is not set, generally I do get an exception.
How do this random string help to secure the session?
What are the other uses of this application key?
If I use the same application key everywhere (like staging, production etc..) does it make the application less secure?
what are some best practices for this key
As we can see its used in EncryptionServiceProvider:
public function register()
{
$this->app->singleton('encrypter', function ($app) {
$config = $app->make('config')->get('app');
// If the key starts with "base64:", we will need to decode the key before handing
// it off to the encrypter. Keys may be base-64 encoded for presentation and we
// want to make sure to convert them back to the raw bytes before encrypting.
if (Str::startsWith($key = $this->key($config), 'base64:')) {
$key = base64_decode(substr($key, 7));
}
return new Encrypter($key, $config['cipher']);
});
}
So every component that uses encryption: session, encryption (user scope), csrf token benefit from the app_key.
Rest of the questions can be answered by "how encryption" (AES) works, just open up Encrypter.php, and confirm that Laravel uses AES under the hood and encodes the result to base64.
Further more we can see how its all done by using tinker:
➜ laravel git:(staging) ✗ art tinker
Psy Shell v0.8.17 (PHP 7.1.14 — cli) by Justin Hileman
>>> encrypt('Hello World!')
=> "eyJpdiI6ImgzK08zSDQyMUE1T1NMVThERjQzdEE9PSIsInZhbHVlIjoiYzlZTk1td0JJZGtrS2luMlo0QzdGcVpKdTEzTWsxeFB6ME5pT1NmaGlQaz0iLCJtYWMiOiI3YTAzY2IxZjBiM2IyNDZiYzljZGJjNTczYzA3MGRjN2U3ZmFkMTVmMWRhMjcwMTRlODk5YTg5ZmM2YjBjMGNlIn0="
Note: I used this key: base64:Qc25VgXJ8CEkp790nqF+eEocRk1o7Yp0lM1jWPUuocQ= to encrypt Hello World!
After decoding the result we get (you can try decode your own cookie with session):
{"iv":"h3+O3H421A5OSLU8DF43tA==","value":"c9YNMmwBIdkkKin2Z4C7FqZJu13Mk1xPz0NiOSfhiPk=","mac":"7a03cb1f0b3b246bc9cdbc573c070dc7e7fad15f1da27014e899a89fc6b0c0ce"}
to understand above json (iv, value, mac) you need to understand AES:
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Best practices for application key
do store it in .env file only
do not store it in app.php, in fact in any git tracked file
do not change it unless you really want to
invalidate sessions/cookies (user logout)
invalidate password reset tokens
invalidate signed urls
Obvious Note: Changing application key has no effect on hashed passwords since hashing algorithms do not require encryption keys.
for a customer we are migrating a Laravel application to a Ruby application. We have some data stored in the database that we would like to decrypt in the ruby world.
This is the laravel part that was used to encrypt the data: https://laravel.com/docs/5.0/encryption
Now when importing the data to ruby we need a counter part that can decrypt the data.
In the laravel console I was able to decrypt the data like this:
>>> Crypt::decrypt('eyJpdiI6ImZyek9ZTjJNSW5ZYlhSa2ZYUldVbEE9PSIsInZhbHVlIjoia20zMTRLWEpCdXM2K05DZDBHSlE5SDlcL2pYVXk5aE5RWWR3dHFQT1dGQzA9IiwibWFjIjoiZWZlNGE3NTRhMDDlNzk2MjhlYjI1Mzc1NGNiYmRjNDMwZjM1NzdiMzkyZTU4ZjA4ZDNkMGE0YjUyOTBjMDAzOCJA')
=> "123123123123"
I am no laravel expert, but in the app.php file a secret key was set. So I need to be able to pass it somehow to the decrypt function.
The goal is to have a ruby function that takes the laravel password, encryption key and returns the decrypted value.
def decrypt_laravel_crypt(value, encryption_key)
end
Thanks for the help!
You can reverse engineer Laravel's Encrypter::decrypt method using mostly standard libs. Laravel will serialize data before encrypting it unless told explicitly not to. This means attempting to unserialize the decrypted string prior to using it.
require 'base64'
require 'openssl'
require 'json'
require 'php_serialize'
def lara_decrypt(encryptedString, appKey)
data = JSON.parse(Base64::decode64(encryptedString))
decipher = OpenSSL::Cipher.new('aes-256-cbc')
decipher.decrypt
decipher.key = Base64::decode64(appKey)
decipher.iv = Base64::decode64(data['iv'])
decrypted = decipher.update(Base64::decode64(data['value'])) + decipher.final
begin
PHP.unserialize(decrypted)
rescue
decrypted
end
end
Also when you set the app key be sure to drop base64: from the beginning of it (if it's there).
I am trying to follow the instruction of CI 3 docs about encryption https://codeigniter.com/userguide3/libraries/encryption.html#setting-your-encryption-key I apply the instruction but it won't make pretty output like I want, here is the standard code
$this->load->library('encryption');
$key = $this->encryption->create_key(16);
// Get a hex-encoded representation of the key:
$key = bin2hex($this->encryption->create_key(16));
// Put the same value in your config with hex2bin(),
// so that it is still passed as binary to the library:
$config['encryption_key'] = hex2bin(<your hex-encoded key>);
but i am getting this error
how to solve this error? or I am writing some wrong code?
If you use the Encryption class, you must set an encryption key. and dynamic Encryption key must be set on indivisible controller file.single Encryption key set on config.php file
//single encryption key
$config['encryption_key'] = '';
//dynamic encryption key
$this->load->library('encryption'); //load encryption library in your controller
$key = bin2hex($this->encryption->create_key(16));
$config['encryption_key'] = hex2bin();
I'm creating an app and I am planning to give users a one click installation feature. The idea is to show a form when the application is first launched, sort of Installation / Configuration screen where user will type Database details (hostname, db name, username & password) and will enter user details (email, username and password for default admin account). Once he will submit the form, I want to do following tasks:
Update .env file with hostname, db name, username & password
Run all migrations
Run all db:seeds
Create a user based on user input (this is not much of an issue)
Is it possible to do via code? I have tried to google this but can't find any help.
As the title says, I'm using L5.2 for this project.
So here is the final solution after playing around with this.
My controller:
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Storage;
class TestController extends Controller
{
public function index() {
// Values I want to insert
$data = [
'APP_KEY' => str_random(32),
'DB_HOST' => 'localhost',
'DB_DATABASE' => 'lara_test',
'DB_USERNAME' => 'root',
'DB_PASSWORD' => ''
];
// default values of .env.example that I want to change
$defaults = ['SomeRandomString', '127.0.0.1', 'homestead', 'homestead', 'secret'];
// get contents of .env.example file
$content = file_get_contents(base_path() . '/.env.example');
// replace default values with new ones
$i = 0;
foreach ($data as $key => $value) {
$content = str_replace($key.'='.$defaults[$i], $key.'='.$value, $content);
$i++;
}
// Create new .env file
Storage::disk('root')->put('.env', $content);
// run all migrations
Artisan::call('migrate');
// run all db seeds
Artisan::call('db:seed');
dd('done');
}
}
New Disk Driver:
To create a new file at project root, I had to create a new Disk Driver. I added following code in my config/app.php file:
'disks' => [
.....
'root' => [
'driver' => 'local',
'root' => base_path(),
],
],
and this enabled me to create new file at root by using:
Storage::disk('root')->put('filename', $content);
Summary:
So basically I am getting the contents of .env.example file, changing the values of constants I want and then creating a new .env file. After that I ran all my migrations and seeds.
Note:
I had to manually set the APP_KEY because of a stupid error No supported encrypter found. The cipher and / or key length are invalid.
Since I am trying to do everything inside code, not through commands - I tried using Artisan::call('key:generate'); but for some strange reasons it didn't work so to fix the issue, I had to create a random string manually which is 32 bit long and set it as APP_KEY.
Hope this will help someone else. :)
And thanks to #rypskar for assistance.
Everything can be done using code ;)
You could write a sh script which you call from your code or you can do this directly from your code.
I haven't seen any functions for copying and populating .env file, but you could read .env.example using file_get_contents() and update the content before writing the new file back to disk.
\Illuminate\Support\Facades\Artisan::call('migrate');
\Illuminate\Support\Facades\Artisan::call('db:seed'); (Not tested since I only have done this from a test where it is possible to use $this->seed();
User::create(['column', => $value])
Okay, well, this is my first time working with encryption on a project. I am using my hosting provider for SSL, but I also want to encrypt portions of the database that are sensitive. For this, I was told to use OpenSSL. I am testing it on my localhost (WAMP), and have installed OpenSSL and turned on the PHP and Apache SSL mods. Okay, so i've been following tutorials and, using several suggested methods, have been able to generate the public key and store it as a file. For some reason, I can't seem to generate the private key. I will post two versions of code that i've tried:
// generate private key
$privateKey = openssl_pkey_new(array(
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
));
// write private key to file
openssl_pkey_export_to_file($privateKey, 'private.key');
// generate public key from private key
$publicKey = openssl_pkey_get_details($privateKey);
// write public key to file
file_put_contents('public.key', $publicKey['key']);
// clear key
echo $privateKey;
?>
This generates a public.key file, but provides me the warnings "openssl_pkey_export_to_file(): cannot get key from parameter 1:" and " openssl_pkey_get_details() expects parameter 1 to be resource, boolean."
I also tried an alternative method:
$config = array(
"config" => "E:/wamp/bin/apache/apache2.2.22/conf/openssl.cnf",
"digest_alg" => "sha512",
"private_key_bits" => 1024,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
// Create the private and public key
$res = openssl_pkey_new($config);
// Extract the private key from $res to $privKey
openssl_pkey_export($res, $privKey, NULL);
echo "Private Key: ".$privKey;
// Extract the public key from $res to $pubKey
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey["key"];
echo "Public Key: ".$pubKey;
$data = 'plaintext data goes here';
echo "Data: ".$data;
// Encrypt the data to $encrypted using the public key
openssl_public_encrypt($data, $encrypted, $pubKey);
echo "Encrypted: ".$encrypted;
// Decrypt the data using the private key and store the results in $decrypted
openssl_private_decrypt($encrypted, $decrypted, $privKey);
echo "Decrypted: ".$decrypted;
This was supposed to echo everything, unfortunately my result was a blank private key, a fine public key, plaintext, and encrypted text, and an error when trying to decrypt: "openssl_private_decrypt(): key parameter is not a valid private key"
Clearly, i'm having a problem with private key creation. I've searched the internet thoroughly and haven't been able to fix it, even though I've implemented simple code that seems to work for everyone else.
Thanks in advance,
Elie Zeitouni
I know that it has been a while and you may have already solved it but I think that my answer can be helpful for other people who faced the same problem (Like I did).
So if you take a look at the openssl_pkey_export() documentation you can find that it takes four different parameters. If we take a look at your second implementation we can see that you have only provided three.
openssl_pkey_export($res, $privKey, NULL);
This would be just as fine if only your server have the right environment variables for OPENSSL_CONF. Linking to the openssl.cnf file, which as quoted in the README-SSL.txt file that is downloaded with XAMPP is required to make use of CSR and key generation functions from PHP.
To use the CSR and key generation functions from PHP, you will need to install an openssl.cnf file. We have included a sample file that can be used for this purpose in this folder alongside this readme file.
For this reason just as you did for the openssl_pkey_new($config); you must create a associative array containing the config => '/path/to/openssl.cnf'. Just like this:
openssl_pkey_export($res, $privKey, NULL, $config);
I would like to also add that the path of openssl.cnf in my case is inside:
C:\xampp\php\extras\openssl\openssl.cnf
Inside here you will also be able to find a README-SSL.txt file which give a good explaination of how to configure OPENSSL.
Hope it helps. :)
I think you might have an easier time with phpseclib, a pure PHP RSA implementation. The following example will create a 1024-bit RSA private / public key:
<?php
include('Crypt/RSA.php');
$rsa = new Crypt_RSA();
extract($rsa->createKey());
echo $privatekey . '<br/>' . $publickey;
?>
Banged around my head with getting this to work on windows10 with xampp php 5.5. Finally figured tabone's answer above was in the right direction EXCEPT path format needed to be forward slashed!
C:/xampp/php/extras/openssl/openssl.cnf
Hope this helps someone.
I Had the same problem.
And it is Windows problem's !!!
It won't happen on unix base systems.
And, If like me you use Windows only for Development, you use PuTTYGen to generate a key, and use it, static, in dev enviroment !
OR
OpenSSL not working on Windows, errors 0x02001003 0x2006D080 0x0E064002
use : openssl_pkey_export_to_file($result, 'privkey.pem', null, $config);
This worked for wampp/php 7.0.4
$privateKey = openssl_pkey_new(array(
'config' => 'C:/wamp/bin/php/php7.0.4/extras/ssl/openssl.cnf',
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
));
// write private key to file
openssl_pkey_export_to_file($privateKey, 'private.key');
// generate public key from private key
$publicKey = openssl_pkey_get_details($privateKey);
// write public key to file
file_put_contents('public.key', $publicKey['key']);
// clear key
echo $privateKey;