APP_KEY
is one of the most important first steps.APP_KEY
is used. For someone to exploit this issue, they'd need to have access to the production APP_KEY
. The simplest fix for the exploit is to rotate (change) your APP_KEY
. That led some of us at Tighten to ask the question: What does the app key do? What is involved in rotating it? What are best practices for managing these keys for our Laravel applications?APP_KEY
does and doesn't do, some common misconceptions about its relationship to user password hashing, and the simple steps to changing your APP_KEY
safely without losing access to your data.APP_KEY
s work.APP_KEY
, which is why I’m going to walk you through the details of your key, why it’s important, and how to change it.APP_KEY
?APP_KEY
key in your .env
file. The Laravel installer generates one for you, so you'll only notice it missing when you clone an existing app. .env
, or you can run php artisan key:generate
to have Laravel create and insert one automatically for you.APP_KEY
: cookies. Laravel uses the key for all encrypted cookies, including the session cookie, before handing them off to the user's browser, and it uses it to decrypt cookies read from the browser. This prevents the client from making changes to their cookies and granting themselves admin privileges or impersonating another user in your application. Encrypted cookies are an important security feature in Laravel.Encrypter
using PHP's built-in security tools, including OpenSSL. We won’t be looking closely at how that encryption works here, but if you want to learn more I’d encourage you to read more on the PHP implementation of OpenSSL and the openssl_encrypt
function.APP_KEY
is used to hash passwords. Thankfully, this isn't the case! I think this leads many people to assume that the APP_KEY
is un-rotatable without breaking all of your users' logins.Hash::make()
or bcrypt()
, neither of which use APP_KEY
. Let’s take a look at encryption and hashing in Laravel.Crypt
(symmetric encryption) and Hash
(one-way cryptographic hashing). Passwords are hashed, and cookies are (optionally) encrypted. Let’s look at the differences.openssl_encrypt()
(used by Laravel's Crypt
) with our shared $key
and have a plain-text encrypted string to send him:APP_KEY
as the encryption key. Response cookies are encrypted, sent to the user, read back in a future request, and decrypted, all using the same application key.Crypt
methods won’t work, and therefore can’t be based on a key that we have. Instead, we need a hashing function, which should be:password_hash()
function, defaulting to a hashing algorithm called bcrypt. For one-way hashing, it’s a great default, and you shouldn’t need to change it (though Laravel now offers a few other hashing methods, too).users
table, this might look familiar to you. Here’s what it means:$2y$
hashed using the blowfish algorithm (bcrypt)10$
the “cost” factor (higher means the hash takes longer to compute)hEEF0lv4spxnvw5O4XyLZ.
a random “salt” of 22 characters QjCE1tCu8HjMpWhmCS89J0EcSW0XELu
the hash outputpassword_verify()
function to compare the new hash with the database hash:APP_KEY
) when symmetric (reversible) encryption is needed. User password storage should never be reversible, and therefore doesn’t need APP_KEY
at all.APP_KEY
; you just need to keep a few things in mind.APP_KEY
. Schedule your key rotation at an optimal time to minimize inconvenience for your users.APP_KEY
as a framework, you may have custom code in your application that encrypts your data. If you have any uses of Laravel's encrypting features, make and test a plan to decrypt that data with your old key and re-encrypt it with the new key.APP_KEY
APP_KEY
somewhere else, just in case changing your key has unintended side effects.php artisan key:generate
:.env
file, include the --show
flag: https://heavenlysports251.weebly.com/blog/key-generator-online-for-games.APP_KEY
does not affect user passwordsAPP_KEY
, logging out any current usersAPP_KEY
APP_KEY
along with your other credentials and keys