Eloquent Encrypted Casting

Published on October 30th, 2020 by Richard Styles

A recent pull request by Jason McCreary which was released in Laravel 8.12 included the ability to encrypt a model attribute using an Eloquent cast.
The included encrypted cast option now also allows casting the attribute into an array, JSON, object or a collection after it has been decrypted.

class EncryptedCast extends Model
{
    public $casts = [
        'secret' => 'encrypted',
        'secret_array' => 'encrypted:array',
        'secret_json' => 'encrypted:json',
        'secret_object' => 'encrypted:object',
        'secret_collection' => 'encrypted:collection',
    ];
    ...
}

This encrypted cast uses Laravel’s Crypt facade to encrypt and decrypt the attribute from the database. There were earlier PRs back in Laravel 5.3 which were closed that attempted to bring this functionality into Laravel.
If you use Laravel’s built-in encrypted cast notation then it is important to realise this locks your app key. As this is the secret which Crypt uses under the hood to encrypt and decrypt everything in Laravel from sessions and cookies.

The same weekend that Laravel encrypted casts were added into Laravel core, I completed a hackathon hosted by my Employer UKFast where I created EloquentEncrypted. This uses 4096-bit RSA keys to cast model attributes into the database in an encrypted form.

This separates Eloquents encryption from the app key so that you are free to rotate this as needed, something that is advised by Tighten in their blog post APP_KEY And You. This package also includes migration helpers to set the encrypted field accordingly in your database.

Schema::create('sales_notes', function (Blueprint $table) {
    $table->increments('id');
    $table->encrypted('private_data');
    $table->timestamps();
});

The Eloquent Encryption package also allows for casting after encryption with a couple of initial offers to show how this can be done. You can cast to a string using the default Encrypted cast, an Integer or float and even to a collection. Collections are serialised into JSON strings which are then encrypted.

<?php
 
namespace App\Models;
 
use Illuminate\Database\Eloquent\Model;
use RichardStyles\EloquentEncryption\Casts\Encrypted;
use RichardStyles\EloquentEncryption\Casts\EncryptedInteger;
use RichardStyles\EloquentEncryption\Casts\EncryptedFloat;
use RichardStyles\EloquentEncryption\Casts\EncryptedCollection;
 
class SalesData extends Model
{
    /**
     * The attributes that should be cast.
     *
     * @var array
     */
    protected $casts = [
        'private_data' => Encrypted::class,
        'private_int' => EncryptedInteger::class,
        'private_float' => EncryptedFloat::class,
        'private_collection' => EncryptedCollection::class,
    ];
}

I’ve also put together another package called Eloquent AES which allows you to use AES-256-CBC encryption for your eloquent model data. This creates a separate Eloquent key which is used to encrypt/decrypt during casting.

<?php
namespace App\Models;
 
use Illuminate\Database\Eloquent\Model;
use RichardStyles\EloquentAES\Casts\AESEncrypted;
 
class SalesData extends Model
{
    /**
     * The attributes that should be cast.
     *
     * @var array
     */
    protected $casts = [
        'private_data' => AESEncrypted::class,
    ];
}

This simply creates another instance of the Encrypter class within laravel using a different config key. This second package was created because people should be able to choose the method of encryption and how that choice affects other areas of their applications.