This package replaces Laravel's built-in encryption with an encryption based on AWS KMS.
Two major features provided by kms are:
- ability to automatically rotate key (annually) without deleting the previous ones
- you don’t have access to the actual key, which means you can’t leak it
This package has been based on this blogpost
This package requires Laravel 8.x or higher.
You can install the package via composer:
composer require smknstd/laravel-kms-encryption
Next you should publish the config file, and setup your values :
php artisan vendor:publish --provider="Smknstd\LaravelKmsEncryption\LaravelKmsEncryptionServiceProvider"
If you want to use IAM Roles that are already setup, aws sdk will automatically use them by default. Otherwise, you should setup credentials to the proper aws user allowed to "use" the given kms key, by adding a kms section in your config/services.php
file :
'kms' => [
'key' => env('AWS_ACCESS_KEY_ID'),
'secret' => env('AWS_SECRET_ACCESS_KEY'),
'region' => env('AWS_REGION'),
],
Now everytime you'll encrypt something it will use the provided kms key. It includes all fields using eloquent's encrypted casting. If you have previously encrypted data, be aware that you won't be able to decrypt it.
If you use laravel's middleware EncryptCookies
, it can't work with kms. To let the middleware continue working with laravel's encrypter you need to edit App\Http\kernel.php
. Just replace the existing middleware with :
protected $middlewareGroups = [
'web' => [
\Smknstd\LaravelKmsEncryption\Middleware\EncryptCookies::class,
...
]
]
composer test
Please see CONTRIBUTING for details.
Please review our security policy on how to report security vulnerabilities.
The MIT License (MIT). Please see License File for more information.