8

Previously, Laravel uses MCRYPT_RIJNDAEL_128 cipher for encryption (in <5.0). Now it's AES-256-CBC (>=5.1). Mcrypt seems to be abandonware and we should not use it.

I have an app written for Laravel <5.1 and migrated to Laravel 5.1. Can I change the cipher, or will it break everything?

EDIT:

In other words, can I switch from MCRYPT_RIJNDAEL_128 to AES-256-CBC in a Laravel production application with a populated database, connected users, etc. without service interruption/degradation or bug?

rap-2-h
  • 30,204
  • 37
  • 167
  • 263
  • `MCRYPT_RIJNDAEL_128` is AES, so it could also be `AES-256-CBC`. Can you be more specific? – Artjom B. Sep 23 '15 at 08:28
  • Ok, I've just tried to be more precise (I don't know where exactly the encryption is used by Laravel), hope it's clear enough now (sorry if not) – rap-2-h Sep 23 '15 at 08:59

3 Answers3

3

Yes you can do so. The only "built in" side effect should be that your users get logged out.

I say "built in" because if you have something else using that encryption key (running crypt/decrypt on data in your db, api/auth tokens, etc) then you'd have to figure out how to migrate those as well.

Tom Schlick
  • 2,298
  • 18
  • 26
  • Will passwords work after changing cipher ? Because they are stored hashed in the database, and if there is new encyption cipher, will it give other result of encypted password, so that old_encypted_password != new_encypted_password ? – user991 Oct 14 '15 at 11:35
  • Sorry for the late answer but I just saw this... -- Yes, passwords WILL work after the encryption key change because by default laravel uses the standard php password hashing methods which use bcrypt. Bcrypt a hash that cannot be decrypted and it's salt is contained within the password string. You are safe to change the cipher without impacting your existing passwords (so long as you didn't do something manually with encryption). – Tom Schlick Apr 07 '17 at 13:11
2

I just tried it in a running application, and at least it throws Exceptions for users that already have Cookies/Sessions and when you are using 'encrypt' => true in config/sessions.php (which is disabled by default).

ErrorException in Encrypter.php line 101: openssl_decrypt(): IV passed is 32 bytes long which is longer than the 16 expected by selected cipher, truncating

Edit: This can be fixed by editing app/Http/Middleware/EncryptCookies.php and add this function:

protected function decrypt(Request $request)
{
    foreach ($request->cookies as $key => $c) {
        if ($this->isDisabled($key)) {
            continue;
        }

        try {
            $request->cookies->set($key, $this->decryptCookie($c));
        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
            $request->cookies->set($key, null);
        } catch (\ErrorException $e) {
            $request->cookies->set($key, null);
        }
    }

    return $request;
}

This will remove the cookies that cannot be decoded, so basically it logs the user out.

Casper Bakker
  • 75
  • 1
  • 9
0

It is totally safe to change from MCRYPT_RIJNDAEL_128 to 'AES-256-CBC'

How I tested it?

First I encrypted text with MCRYPT_RIJNDAEL_128
After that, I changed cipher to 'AES-256-CBC' in config/app.php
Third I decrypted encrypted string from the first step

I also tested that logged in users stay logged after cipher change

So it is safe to say that changing cipher won't affect you.

Note, you can get "Warning: Use of undefined constant MCRYPT_RIJNDAEL_128" when updating to PHP 7.1 or PHP 7.2 version. That's when I saw that I needed to change cipher.

Mantas D
  • 3,993
  • 3
  • 26
  • 26