CipherSweet for Laravel

A Laravel implementation of Paragon Initiative Enterprises CipherSweet searchable field level encryption.

Make sure you have some basic understanding of CipherSweet before continuing.

Installation

Install the package using composer:

composer require bjorn-voesten/ciphersweet-for-laravel

The package will then automatically register itself.

Encryption key

In your .env file you should add:

CIPHERSWEET_KEY=

And then generate an encryption key:

php artisan ciphersweet:key

Config file

Publish the config file:

php artisan vendor:publish --tag=ciphersweet-config

Usage

Define encryption

Add the BjornVoesten\CipherSweet\Concerns\WithAttributeEncryption trait to your model
and add the BjornVoesten\CipherSweet\Casts\Encrypted cast to the attributes you want to encrypt.

<?php

use Illuminate\Database\Eloquent\Model;
use BjornVoesten\CipherSweet\Concerns\WithAttributeEncryption;
use BjornVoesten\CipherSweet\Casts\Encrypted;

class User extends Model
{
    use WithAttributeEncryption;
    
    protected $fillable = [
        'social_security_number',
    ];

    protected $casts = [
        'social_security_number' => Encrypted::class,
    ];
}

By default, the index column name is generated using the name suffixed by _index.
So social_security_number will use social_security_number_index.

Using custom indexes

Alternatively you can define multiple indexes per attribute and and define more options.

<?php

use Illuminate\Database\Eloquent\Model;
use BjornVoesten\CipherSweet\Concerns\WithAttributeEncryption;
use BjornVoesten\CipherSweet\Casts\Encrypted;
use BjornVoesten\CipherSweet\Contracts\Attribute;
use BjornVoesten\CipherSweet\Contracts\Index;

class User extends Model
{
    // ...

    /**
     * Encrypt the social security number.
     *
     * @param \BjornVoesten\CipherSweet\Contracts\Attribute $attribute
     * @return void
     */
    public function encryptSocialSecurityNumberAttribute(Attribute $attribute): void
    {
        $attribute->index('social_security_number_last_four_index', function (Index $index) {
            $index
                ->bits(16)
                ->transform(new LastFourDigits());
        });
    }
}

Encrypt and decrypt

Attributes will be automatically encrypted and decrypted when filling and retrieving attribute values.

Note Because the package uses Laravel casts it is not possible to combine the Encrypted cast and accessors/mutators.

Searching

Note When searching with the equal to operator models will be returned when the value is found in one of all available or defined indexes. When searching with the not equal to operator all models where the value is not found in any of the available or the defined indexes are returned.

Note Because of the limited search possibilities in CipherSweet only the = and != operators are available when searching encrypted attributes.


whereEncrypted, orWhereEncrypted

 User::query()
    ->whereEncrypted('social_security_number', '=', '123-456-789')
    ->orWhereEncrypted('social_security_number', '=', '123-456-789')
    ->get();

whereInEncrypted, orWhereInEncrypted

 User::query()
    ->whereInEncrypted('social_security_number', [
        '123-456-789',
    ])
    ->orWhereInEncrypted('social_security_number', [
        '456-123-789',
    ])
    ->get();

Contributing

Please see contributing.md for details and a todolist.

Security

If you discover any security related issues, please email security@bjornvoesten.com instead of using the issue tracker.

Testing

make test