DoctrineEncryptBundle icon indicating copy to clipboard operation
DoctrineEncryptBundle copied to clipboard
verified publisher icon absolute-quantum

Allow encryption keys as strings

Open numediaweb opened this issue 5 years ago • 2 comments

When using Docker deployments we cannot save files/keys into the machine: is it possible to feed directly the key string into the bundle instead of using key files?

ambta_doctrine_encrypt:
    secret_key_path: '%encryption_key%'   # 32 byte hexadecimal string

numediaweb avatar Mar 11 '20 15:03 numediaweb

Why not use doctrine-compose and map the volume? You can manually create a .HaliteEncryptor.key with a string in the local folder and it will be automatically synced.

volumes: - ./local_folder:/var/www/webroot

Jeordy avatar May 06 '20 13:05 Jeordy

I ended up doing something around this.

First implemented following custom encryptor

final class HaliteIntegratedEncryptor implements EncryptorInterface
{
    private EncryptionKey $cryptographerSecret;

    public function __construct(string $cryptographerSecret)
    {
        $this->cryptographerSecret = KeyFactory::deriveEncryptionKey(
            new HiddenString($cryptographerSecret),
            random_bytes(\SODIUM_CRYPTO_PWHASH_SALTBYTES)
        );
    }

    /**
     * @param string $data
     *
     * @throws HaliteAlert
     */
    public function encrypt($data): string
    {
        return Crypto::encrypt(new HiddenString($data), $this->cryptographerSecret);
    }

    /**
     * @param string $data
     *
     * @throws HaliteAlert
     */
    public function decrypt($data): string
    {
        $data = Crypto::decrypt($data, $this->cryptographerSecret);

        if ($data instanceof HiddenString) {
            $data = $data->getString();
        }

        return $data;
    }
}

Then in configuration I made following:

ambta_doctrine_encrypt:
  encryptor_class: 'App\Some\Namespace\To\Encoder\HaliteIntegratedEncryptor'
  # secret_directory_path: '%kernel.project_dir%' # <- Doesn't matter anymore as we are overriding it in services.

# Due our constructor needs key itself instead of path to file, we need to override the argument.
services:
  ambta_doctrine_encrypt.encryptor:
    class: "%ambta_doctrine_encrypt.encryptor_class_name%"
    arguments:
    # - '%ambta_doctrine_encrypt.secret_key_path%' # <- This has been replaced with HEX key.
      - '%env(CRYPTO_SECRET)%'

In my case I manage CRYPTO_SECRET via Symfony secret management, which is something you should use. https://symfony.com/doc/current/configuration/secrets.html

Hope this helps!

NikoGrano avatar Jul 30 '20 11:07 NikoGrano