README

Introduction

This package replaces Laravel's built-in encryption with an encryption based on AWS KMS.

Two major features provided by kms are:

• ability to automatically rotate key (annually) without deleting the previous ones
• you don’t have access to the actual key, which means you can’t leak it

This package has been based on this blogpost

Installation

This package requires Laravel 8.x or higher.

You can install the package via composer:

composer require smknstd/laravel-kms-encryption

Next you should publish the config file, and setup your values :

php artisan vendor:publish --provider="Smknstd\LaravelKmsEncryption\LaravelKmsEncryptionServiceProvider"

If you want to use IAM Roles that are already setup, aws sdk will automatically use them by default. Otherwise, you should setup credentials to the proper aws user allowed to "use" the given kms key, by adding a kms section in your config/services.php file :

    'kms' => [
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => env('AWS_REGION'),
    ],

Now everytime you'll encrypt something it will use the provided kms key. It includes all fields using eloquent's encrypted casting. If you have previously encrypted data, be aware that you won't be able to decrypt it.

Cookies encryption

If you use laravel's middleware EncryptCookies, it can't work with kms. To let the middleware continue working with laravel's encrypter you need to edit App\Http\kernel.php. Just replace the existing middleware with :

   protected $middlewareGroups = [
     'web' => [
         \Smknstd\LaravelKmsEncryption\Middleware\EncryptCookies::class,
         ...
     ]
   ]

Testing

composer test

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

• Arnaud Becher
• Marco Aurélio Deleu

License

The MIT License (MIT). Please see License File for more information.