In your project, you might store some sensitive personal or credential data in your database. Should an unauthorized person get access to your DB, all this sensitive can be read.

To solve this problem, you can encrypt the data. This way, unauthorized persons cannot read it, but your application can still decrypt it when you need to display or work with the data.

CipherSweet is a backend library developed by Paragon Initiative Enterprises for implementing searchable field-level encryption. It can encrypt and decrypt values in a very secure way. It is also able to create blind indexes. A blind index can be used to perform some targeted searches on the encrypted data. The indexes themselves are unreadable by humans.

Installation

You can install the package via composer:

composer require spatie/laravel-ciphersweet

You must publish and run the migrations with:

php artisan vendor:publish --tag="ciphersweet-migrations"

php artisan migrate

Optionally, you can publish the config file with:

php artisan vendor:publish --tag="ciphersweet-config"

Usage

Few steps are involved to store encrypted values. Let’s go through them.

1. Preparing your model and choosing the attributes that should be encrypted

Add the CipherSweetEncrypted interface and UsesCipherSweet trait to the model that you want to add encrypted fields to.

You’ll need to implement the configureCipherSweet method to configure CipherSweet.

use Spatie\LaravelCipherSweet\Contracts\CipherSweetEncrypted;
use Spatie\LaravelCipherSweet\Concerns\UsesCipherSweet;
use ParagonIE\CipherSweet\EncryptedRow;
use Illuminate\Database\Eloquent\Model;

class User extends Model implements CipherSweetEncrypted
{
    use UsesCipherSweet;
    
    /**
     * Encrypted Fields
     *
     * Each column that should be encrypted should be added below. Each column
     * in the migration should be a `text` type to store the encrypted value.
     *
     * ```
     * ->addField('column_name')
     * ->addBooleanField('column_name')
     * ->addIntegerField('column_name')
     * ->addTextField('column_name')
     * ```
     *
     * A JSON array can be encrypted as long as the key structure is defined in
     * a field map. See the docs for details on defining field maps.
     *
     * ```
     * ->addJsonField('column_name', $fieldMap)
     * ```
     *
     * Each field that should be searchable using an exact match needs to be
     * added as a blind index. Partial search is not supported. See the docs
     * for details on bit sizes and how to use compound indexes.
     *
     * ```
     * ->addBlindIndex('column_name', new BlindIndex('column_name_index'))
     * ```
     *
     * @see https://github.com/spatie/laravel-ciphersweet
     * @see https://ciphersweet.paragonie.com/
     * @see https://ciphersweet.paragonie.com/php/blind-index-planning
     * @see https://github.com/paragonie/ciphersweet/blob/master/src/EncryptedRow.php
     *
     * @param EncryptedRow $encryptedRow
     *
     * @return void
     */
    public static function configureCipherSweet(EncryptedRow $encryptedRow): void
    {
        $encryptedRow
            ->addField('email')
            ->addBlindIndex('email', new BlindIndex('email_index'));
    }
}

2. Generating the encrypting key

An encryption key is used to encrypt your values. You can generate a new CipherSweet encrypting key using this command:

php artisan ciphersweet:generate-key

3. Encrypting model attributes

With this in place, you can run this command to encrypt all values:

php artisan ciphersweet:encrypt <your-model-class> <generated-key>

The command will update all the encrypted fields and blind indexes of the model.

If you have a lot of rows, this process can take a long time. The command is restartable: it can be re-run without needing to re-encrypt already rotated keys.

4. Updating your .env file

After the fields have been encrypted, you should add the generated CipherSweet key to your .env file.

CIPHERSWEET_KEY=<YOUR-KEY>

The key will be used by your application to read encrypted values.

For more details, You can visit Github