Menü schliessen

AGB | Datenschutz | Impressum

Created: May 19th 2025
Categories: Laravel, Php
Author: Miljan Puzovic

Laravel Encryption Key Rotation

Tags: Laravel, Security

Donation Section: Background

Monero Badge: QR-Code

Donate with

82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC

Laravel uses APP_KEY variable defined in tour .env file for encrypting cookies and session cookies. It's recommended to change your APP_KEY at least every six months. But changing the APP_KEY will log out all users. In order to prevent that, there is a new APP_PREVIOUS_KEYS environment variable available from Laravel 11.

Laravel 11 allows you to define your application's previous encryption keys as a comma-delimited list via the APP_PREVIOUS_KEYS environment variable.

Laravel encrypts data using the current encryption key stored in the APP_KEY environment variable. During decryption, Laravel first attempts to use this current key. If unsuccessful, it systematically tries all previous keys until finding one that successfully decrypts the value. This graceful decryption strategy ensures users experience uninterrupted application usage even when encryption keys are rotated.

While this would work for all user sessions out-of-the-box, please keep in mind that if you've used encrypt(), decrypt() or any other Crypt functionalities manually you would need to handle this key change differently. E.g. if you have encrypted your files using encrypt() you would need to decrypt them using the old APP_KEY and encrypt them again using the new one.

Related Articles

May 27th 2025

Using Progress Bars in Laravel Artisan Commands

May 23rd 2025

Laravel Sail: Slow on Windows

March 31st 2025

Laravel Model $casts, Accessors & Mutators

March 10th 2025

How LEXO's Log Monitor Package Simplifies Error Tracking and Debugging

March 3rd 2025

Laravel: Migrate from Laravel UI Authentication to Fortify

February 21st 2025

Laravel: How to Fetch Posts from WordPress

February 13th 2025

Laravel: How to Schedule Tasks / Set Up Cron Jobs

January 31st 2025

Laravel: How to Bind "sail" as an Alias to "./vendor/bin/sail"

January 29th 2025

Laravel Blade: Using @section, @hasSection, and @yield for Flexible Layouts

November 26th 2024

Laravel's Route Model Binding

November 8th 2024

[SOLVED] SPF setting does not apply to Return-Path causing more spam and phishing e-mails | Spamassassin | Postfix

November 5th 2024

Laravel: How to Test SMTP Credentials

September 24th 2024

How to Use the $appends Property for Custom Attributes

September 18th 2024

Creating Custom Blade Directives in Laravel

September 11th 2024

Control Browser Caching in Laravel

September 10th 2024

Laravel: Define Messages for Custom Validation Rules

September 2nd 2024

Mastering Laravel Route Model Binding: Scoped Bindings, UUIDs, and Custom Routing Explained

July 7th 2023

How to query in Laravel multilevel (nested) json() column without unique keys

April 6th 2023

PHP: Sanitizing User Input

February 28th 2023

Linux IPTables :: Create a basic secure iptables ruleset for your server which is automatically applied upon system boot (systemd)

July 15th 2022

Add defer attribute to the Laravel Vite script tags

May 20th 2021

Laravel: Directory Structure

May 10th 2021

Laravel: Environment configuration

May 6th 2021

Laravel: create new Laravel application via Composer

April 29th 2021

Laravel Breeze Basic Installation

May 16th 2020

How to install Laravel in Homestead from scratch?

December 6th 2017

up_auto_log=true requests - What's that? ATTENTION! Hackers! UserPro Plugin security issues.

January 29th 2016

How to change the admin url or wp-admin to secure login in Wordpress

January 19th 2016

How to disable file editing in Wordpress