Eloquent Encrypted Casting

Eloquent Encrypted Casting

A recent pull request by Jason McCreary which was released in Laravel 8.12 included the ability to encrypt a model attribute using an Eloquent cast.
The included encrypted cast option now also allows casting the attribute into an array, JSON, object or a collection after it has been decrypted.

class EncryptedCast extends Model
{
    public $casts = [
        'secret' => 'encrypted',
        'secret_array' => 'encrypted:array',
        'secret_json' => 'encrypted:json',
        'secret_object' => 'encrypted:object',
        'secret_collection' => 'encrypted:collection',
    ];
    ...
}

This encrypted cast uses Laravel’s Crypt facade to encrypt and decrypt the attribute from the database. There were earlier PRs back in Laravel 5.3 which were closed that attempted to bring this functionality into Laravel.
If you use Laravel’s built-in encrypted cast notation then it is important to realise this locks your app key. As this is the secret which Crypt uses under the hood to encrypt and decrypt everything in Laravel from sessions and cookies.

The same weekend that Laravel encrypted casts were added into Laravel core, I completed a hackathon hosted by my Employer UKFast where I created EloquentEncrypted. This uses 4096-bit RSA keys to cast model attributes into the database in an encrypted form.

This separates Eloquents encryption from the app key so that you are free to rotate this as needed, something that is advised by Tighten in their blog post APP_KEY And You. This package also includes migration helpers to set the encrypted field accordingly in your database.

Schema::create('sales_notes', function (Blueprint $table) {
    $table->increments('id');
    $table->encrypted('private_data');
    $table->timestamps();
});

The Eloquent Encryption package also allows for casting after encryption with a couple of initial offers to show how this can be done. You can cast to a string using the default Encrypted cast, an Integer or float and even to a collection. Collections are serialised into JSON strings which are then encrypted.

<?php

namespace App\Models;

use Illuminate\Database\Eloquent\Model;
use RichardStyles\EloquentEncryption\Casts\Encrypted;
use RichardStyles\EloquentEncryption\Casts\EncryptedInteger;
use RichardStyles\EloquentEncryption\Casts\EncryptedFloat;
use RichardStyles\EloquentEncryption\Casts\EncryptedCollection;

class SalesData extends Model
{
    /**
     * The attributes that should be cast.
     *
     * @var array
     */
    protected $casts = [
        'private_data' => Encrypted::class,
        'private_int' => EncryptedInteger::class,
        'private_float' => EncryptedFloat::class,
        'private_collection' => EncryptedCollection::class,
    ];
}

I’ve also put together another package called Eloquent AES which allows you to use AES-256-CBC encryption for your eloquent model data. This creates a separate Eloquent key which is used to encrypt/decrypt during casting.

<?php
namespace App\Models;

use Illuminate\Database\Eloquent\Model;
use RichardStyles\EloquentAES\Casts\AESEncrypted;

class SalesData extends Model
{
    /**
     * The attributes that should be cast.
     *
     * @var array
     */
    protected $casts = [
        'private_data' => AESEncrypted::class,
    ];
}

This simply creates another instance of the Encrypter class within laravel using a different config key. This second package was created because people should be able to choose the method of encryption and how that choice affects other areas of their applications.

Filed in: News

Newsletter

Join 31,000+ others and never miss out on new tips, tutorials, and more.

Laravel News Partners

Laravel Jobs

Senior Full Stack PHP Developer (Laravel)
Remote
MAPPEN
Senior Laravel Developer
Remote
ACTO
Senior Full-Stack Engineer
[REMOTE: USA Only]
Curricula
Developers for B2B eCommerce SaaS, AWS serverless, Laravel, Vue, Python
Remote, full time EU only
ES Tech Group
Senior PHP Developer (Laravel)
Remote
The Interaction Design Foundation