Add support for Encryption Rotation on data.

[rkeshwani]

Currently, when you rotate keys, the data itself isn't rotated but the keys are. New Data gets stored with the new key, and old data expects old keys. The implemented code currently tries to decrypt through the old keys in a loop but you end up with a collection of keys. This partially defeats the purpose of key rotation. Add support to re-encrypt data natively. Ideally it could be a command that dispatches a batch job that iterates through various models that contain the encrypted casting so that old keys can be disposed of.

[valorin]

I think this is a problem that needs to be solved for each application specifically. If the framework were to provide a tool, it would need to be very flexible and customisable to support many different scenarios. The framework doesn't know how you've used encryption on your models, so it wouldn't be able to reliably re-encrypt everything safely. There would always be the risk of it missing some encrypted values, or corrupting encrypted values if they are stored in unique formats.

I think it's safer to implement your own Artisan command, as you know your data and what would need to be re-encrypted.

[henzeb]

When it comes to models, it can use the casts to determine which fields holds the encryption. If you create your own cast, you could have HandlesEncryption interface in the castables namespace.

It will be a problem when you used an Attribute where you manually encrypted it there. In such cases a simple RotatesEncryption implementation with a rotate method would do the trick.

On locations other than Models, the same interface could be used and could be registered.

You'd still implement your own specific scenarios, but for basic scenarios you are covered. and you don't need to recreate the basic logic every single project that you have that uses encryption.

If you miss one, the fallback is the APP_PREVIOUS_KEYS anyway.

[henzeb]

I got inspired and needed a weekend project.

The following is the product of that:

https://packagist.org/packages/henzeb/laravel-encrypted-data-rotator

Would be nice if someone were to test this out, see what's missing, note some potential bugs or other issues.

[rkeshwani]

I ended up creating my own version of this but I'll take a look if I have time...at initial glance it looks more scalable than what I built. Thanks for putting this together.

[henzeb]

nice. I have made some updates meanwhile. a few bugfixes and a dedicated interface for custom casts that handles encryption.