aeliot / doctrine-encrypted-field
Projects provides equipments to work with encrypted columns in database via fields of Doctrine entities
Installs: 402
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Type:symfony-bundle
Requires
- php: ^8.2
- ext-pdo: *
- doctrine/orm: ^2.15
- doctrine/persistence: ^2.0|^3.0
- symfony/config: ^6.2
- symfony/dependency-injection: ^6.2
- symfony/http-kernel: ^6.2
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.50
- phpstan/extension-installer: ^1.3
- phpstan/phpstan: ^1.10
- phpstan/phpstan-phpunit: ^1.3
- phpunit/phpunit: 9.5.*
- roave/security-advisories: dev-latest
- squizlabs/php_codesniffer: ^3.9
README
The bundle permits to encrypt separate fields of database.
Installation
Call command line script to install:
composer require aeliot/doctrine-encrypted-field
Integration into project
The package is flexible. You can use single or split secret for data encryption. There is described the simple integration with default settings.
- Define environment variable
DB_ENCRYPTION_KEY - Generate migration which install custom functions into database
- Define column encrypted type of doctrine entity
use Doctrine\ORM\Mapping as ORM; #[ORM\Entity()] class MyEntity { //... #[Orm\Column(type: 'encrypted_string')] private string $secret; }
- Generate migration which convert columns in database and encrypt data.
use Doctrine\DBAL\Schema\Schema; use Doctrine\Migrations\AbstractMigration; final class Version20240226205039 extends AbstractMigration { public function up(Schema $schema): void { $this->addSql('ALTER TABLE my_entity CHANGE secret secret VARBINARY(1024) DEFAULT NOT NULL'); $this->addSql('UPDATE my_entity SET secret = APP_ENCRYPT(secret) WHERE 1;'); } public function down(Schema $schema): void { $this->addSql('UPDATE my_entity SET secret = APP_DECRYPT(secret) WHERE 1;'); $this->addSql('ALTER TABLE my_entity CHANGE secret secret VARCHAR(255) DEFAULT NOT NULL'); } }
So, the data will be encrypted in the database and decrypted all over the project code. You don't need to change data type of you field of entity and don't need to make another updates of your project.
Configuration (optional):
You can use bundle without an extra configuration. But the most common one is like this:
aeliot_doctrine_encrypted_field: encryption_availability_checker: App\Doctrine\Encryption\EncryptionAvailabilityChecker functions_provider: App\Doctrine\Encryption\FunctionsProvider secret_provider: App\Doctrine\Encryption\SecretProvider
See example of FunctionProvider for the project with encryption key which divided on two parts:
- one in the app and is set the database connection session
- another one is in another database.
Key rotation
- Decrypt database by console command:
bin/console doctrine-encrypted-field:database:decrypt
- Change keys
- Encrypt database by console command:
bin/console doctrine-encrypted-field:database:encrypt
Database options
The bundle expects options of database tables:
- charset: utf8mb4
- collation: utf8mb4_unicode_ci