Eloquent Encrypted Casting

News

October 30th, 2020

eloquent-encrypted-casting.png

A recent pull request by Jason McCreary which was released in Laravel 8.12 included the ability to encrypt a model attribute using an Eloquent cast.
The included encrypted cast option now also allows casting the attribute into an array, JSON, object or a collection after it has been decrypted.

1class EncryptedCast extends Model
2{
3 public $casts = [
4 'secret' => 'encrypted',
5 'secret_array' => 'encrypted:array',
6 'secret_json' => 'encrypted:json',
7 'secret_object' => 'encrypted:object',
8 'secret_collection' => 'encrypted:collection',
9 ];
10 ...
11}

This encrypted cast uses Laravel’s Crypt facade to encrypt and decrypt the attribute from the database. There were earlier PRs back in Laravel 5.3 which were closed that attempted to bring this functionality into Laravel.
If you use Laravel’s built-in encrypted cast notation then it is important to realise this locks your app key. As this is the secret which Crypt uses under the hood to encrypt and decrypt everything in Laravel from sessions and cookies.

The same weekend that Laravel encrypted casts were added into Laravel core, I completed a hackathon hosted by my Employer UKFast where I created EloquentEncrypted. This uses 4096-bit RSA keys to cast model attributes into the database in an encrypted form.

This separates Eloquents encryption from the app key so that you are free to rotate this as needed, something that is advised by Tighten in their blog post APP_KEY And You. This package also includes migration helpers to set the encrypted field accordingly in your database.

1Schema::create('sales_notes', function (Blueprint $table) {
2 $table->increments('id');
3 $table->encrypted('private_data');
4 $table->timestamps();
5});

The Eloquent Encryption package also allows for casting after encryption with a couple of initial offers to show how this can be done. You can cast to a string using the default Encrypted cast, an Integer or float and even to a collection. Collections are serialised into JSON strings which are then encrypted.

1<?php
2 
3namespace App\Models;
4 
5use Illuminate\Database\Eloquent\Model;
6use RichardStyles\EloquentEncryption\Casts\Encrypted;
7use RichardStyles\EloquentEncryption\Casts\EncryptedInteger;
8use RichardStyles\EloquentEncryption\Casts\EncryptedFloat;
9use RichardStyles\EloquentEncryption\Casts\EncryptedCollection;
10 
11class SalesData extends Model
12{
13 /**
14 * The attributes that should be cast.
15 *
16 * @var array
17 */
18 protected $casts = [
19 'private_data' => Encrypted::class,
20 'private_int' => EncryptedInteger::class,
21 'private_float' => EncryptedFloat::class,
22 'private_collection' => EncryptedCollection::class,
23 ];
24}

I’ve also put together another package called Eloquent AES which allows you to use AES-256-CBC encryption for your eloquent model data. This creates a separate Eloquent key which is used to encrypt/decrypt during casting.

1<?php
2namespace App\Models;
3 
4use Illuminate\Database\Eloquent\Model;
5use RichardStyles\EloquentAES\Casts\AESEncrypted;
6 
7class SalesData extends Model
8{
9 /**
10 * The attributes that should be cast.
11 *
12 * @var array
13 */
14 protected $casts = [
15 'private_data' => AESEncrypted::class,
16 ];
17}

This simply creates another instance of the Encrypter class within laravel using a different config key. This second package was created because people should be able to choose the method of encryption and how that choice affects other areas of their applications.

Filed in:

Richard Styles

Senior PHP Developer, with full-stack experience. TailwindCSS advocate.

Laravel News Partners