Amit Merchant

Amit Merchant

A blog on PHP, JavaScript, and more

Encrypting and decrypting environment files in Laravel 9.x

September 30, 2022 ·

The use of environment files in Laravel (or any other similar framework) is pretty common. You can use the .env file to store the environment variables. This is a great way to store sensitive information like API keys, database credentials, etc. in a secure way.

The problem

These environment files are not committed to the version control system (like Git) because they contain sensitive information. So, you can’t share them with your team members.

Instead, you can share the .env.example file which contains the environment variables with their default values. This way, your team members can create their own .env file by copying the .env.example file and setting the values for the environment variables. The .env.example file can be committed to the version control system.

The problem with this approach is that every time you change the environment variables, you have to update the .env.example file as well. And you need to let your team members know about the changes. This is sort of a manual process and can be error-prone.

So, what if there is a way using which you can commit the .env file to the version control system and use it without compromising the security of the environment variables?

That’s where these two new commands in Laravel 9.x come into play.

Encrypting the environment file

Laravel 9.x introduces a new php artisan env:encrypt command that can be used to encrypt the environment file. For example, if you have a .env file in your project, you can encrypt it using the following command.

$ php artisan env:encrypt

Here’s how the output looks like.

Laravel env encrypt

As you can tell, the php artisan env:encrypt command encrypts the .env file and creates a new .env.encrypted file. This file contains the encrypted environment variables.

The command uses an encryption key (stored in the LARAVEL_ENV_ENCRYPTION_KEY environment variable) and a cipher (stored in the LARAVEL_ENV_ENCRYPTION_CIPHER environment variable) to encrypt the environment variables. The default cipher is AES-256-CBC.

This encrypted environment file can be safely committed to the version control system.

Overriding the encryption key and cipher

You can override the encryption key and cipher by passing the --key and --cipher options to the command. You can use one of the ciphers supported by the Laravel Encrypter.

$ php artisan env:encrypt --key=securekey --cipher=AES-256-CBC

If you’re using your own encryption key, make sure you store it safely because you will need it to decrypt the environment file further.

Environment specific encryption

You can also encrypt the environment file for a specific environment. For example, if you want to encrypt the .env file for the production environment, you can do so by passing the --env option to the command.

$ php artisan env:encrypt --env=production

The above command will look for an environment file called .env.production. If the file exists, the contents will be encrypted and stored in a file called .env.production.encrypted.

If an encrypted file already exists at the location where the command is attempting to store it, it will not be overwritten by default. Of course, you may choose to do so using the --force option.

$ php artisan env:encrypt --force

Decrypting the environment file

The php artisan env:decrypt command can be used to decrypt the encrypted environment file. For example, if you have a .env.encrypted file in your project, you can decrypt it using the following command like so.

$ php artisan env:decrypt --key=base64:o0MzJDUHH/RJgFQk3p9KUoeYD3x4rIdOfl6T1hQRpvg= --force

The result would look like so.

Laravel env decrypt

As you can tell, the php artisan env:decrypt command decrypts the .env.encrypted file and creates a new .env file. This file contains the decrypted environment variables.

The command would need the encryption key used to encrypt the environment file. You can pass the encryption key using the --key option.

If you don’t pass the encryption key, the command will look for the presence of an environment variable called LARAVEL_ENV_ENCRYPTION_KEY.

Environment specific encryption

The php artisan env:decrypt command can also be used to decrypt the environment file for a specific environment. For example, if you want to decrypt the .env.production.encrypted file for the production environment, you can do so by passing the --env option to the command.

$ php artisan env:decrypt --key=h9kAPUmxdZ8ZbwT3 --env=production

The above command will look for an encrypted environment file called .env.production.encrypted. If the file exists, the contents will be decrypted and stored in a file called .env.production.

In closing

And that’s it. You can now encrypt and decrypt the environment files in Laravel 9.x. This is a great way to share the environment files with your team members without compromising the security of the environment variables.

It also removes the need to update the .env.example file every time you change the environment variables which is pretty handy!

Learn the fundamentals of PHP 8 (includes 8.1 and 8.2), the latest version of PHP, and how to use it today with my new book PHP 8 in a Nutshell. It's a no-fluff and easy-to-read guide to the latest features and nitty-gritty details of PHP 8. So, if you're looking for a quick and easy way to PHP 8, this is the book for you.

👋 Hi there! I'm Amit. I write articles about all things web development. If you like what I write and want me to continue doing the same, I would like you buy me some coffees. I'd highly appreciate that. Cheers!

Comments?