Using Laravel's Encryption Mechanism: Configuration, Encryption, and Decryption

Overview

Laravel's encryption mechanism uses OpenSSL to provide AES‑256 and AES‑128 encryption, automatically signing every encrypted payload with a message authentication code (MAC) to ensure the underlying value cannot be altered after encryption.

Configuration

Before using Laravel's encryption you must set the APP_KEY value in config/app.php and generate it with the Artisan command php artisan key:generate ; if the key is missing or incorrect, all encrypted data is insecure.

Encrypting a Value

You can encrypt data with the encrypt helper, which uses OpenSSL AES‑256‑CBC and adds a MAC. The following controller example stores a user’s secret field encrypted.

<?php

namespace App\Http\Controllers;

use App\User;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;

class UserController extends Controller
{
    /**
     * Store user secret information
     */
    public function storeSecret(Request $request, $id)
    {
        $user = User::findOrFail($id);
        $user->fill([
            'secret' => encrypt($request->secret)
        ])->save();
    }
}

Encrypting Without Serialization

When you need to encrypt raw strings without Laravel’s default serialization, use the Crypt facade’s encryptString and decryptString methods.

use Illuminate\Support\Facades\Crypt;

$encrypted = Crypt::encryptString('Hello world.');

$decrypted = Crypt::decryptString($encrypted);

Decrypting a Value

To decrypt a value, use the decrypt helper. If the MAC is invalid or the payload cannot be decrypted, Laravel throws an Illuminate\Contracts\Encryption\DecryptException . The example below demonstrates proper error handling.

use Illuminate\Contracts\Encryption\DecryptException;

try {
    $decrypted = decrypt($encryptedValue);
} catch (DecryptException $e) {
    // handle decryption failure
}