Encryption in Laravel and creating encrypted openssl links to access application resources

Encryption in Laravel is a simple and easy-to-use interface for securing data in your web applications.

Laravel provides an intuitive way to protect and ensure the data integrity of any application, like encrypting user passwords, protecting data in sessions and cookies.

In this article, we will look at the key aspects of encryption in Laravel and how using it can increase the security of your project.


Before you can get started with encryptor in Laravel, you need to carefully configure the key parameter in the onfig/app.php configuration file. This is important and is a key component to securing your application.

To create a cryptographically secure key for your project, it is recommended to use the php artisan key:generate command.

This command carefully utilizes PHP's secure random byte generator to ensure that your key is safe and secure.


To securely encrypt values in Laravel, you can use the encryptString method from the Crypt facade.

All your data will be encrypted using OpenSSL and the AES-256-CBC cipher, providing a high level of security. In addition, each encrypted value will be signed with a message authentication code (MAC).

This embedded message authentication code is an additional layer of protection that reliably prevents the decryption of any data that could be tampered with by attackers. Your sensitive information remains safe with these security measures.


Under the hood, the facade encrypts data with a given cipher and key (APP_KEY) and returns a base64 encoded string.

In detail: an execution vector (Initialization Vector or IV -$iv, a kind of salt for encryption, is created. And encoded with openssl_encrypt which takes the data (string), key and salt (everything we need) and gives back a base64 encoded string.

In case you want to encrypt the same string, for example secret, twice using Crypt::encryptString('secret'). Expecting to see the same result. You will be wrong! Since $iv creates each time a random set of bytes and in the end we get different strings.

The decryptString method of the Crypt facade is used to decrypt the values.

Decoding may throw an error

Create encrypted link to show secret information

Often in a project you need to create a unique link, for system users and not only, and show available data.

For a better example, let's create a secret link that will be sent to mail and saved in the database in encrypted form.

Creating a route

Route::get('/sharedUrl', [Controller::class, 'secret'];

Create a unique token

First we need to create a unique token to access the resource. Let's create a new function:

public function createNewToken(): string
    $iv = random_bytes(openssl_cipher_iv_length('aes-256-cbc'));
    $key = Str::random(16);

    return base64_encode($key . '::' . $iv);

IV will be included in the random generated string, for correct decryption.

Encrypting the token

To encrypt the created token we will use the cryptToken() method. The method accepts the created token and first extracts IV to create a cryptographic openssl value.

public function cryptToken(string $token): string
    try {
        [, $iv] = explode('::', base64_decode($token));

        $value = \openssl_encrypt($token, 'aes-256-cbc', $this->hashKey, OPENSSL_RAW_DATA, $iv);
    } catch (\Exception $exception) {
        return '';

    return base64_encode($value . '::' . $iv);

IV is passed from the beginning of the token creation to get its initial version. This solves the problem when we want to encrypt a string twice and get the same result.

Example encryption

$token = $this->createNewToken(); // WDU0YXJIVzA1UEw1WHJCUDo6Pf3Yh+jYZSpTRUGpBbTPzg==

// The same
$cryptToken = $this->cryptToken('WDU0YXJIVzA1UEw1WHJCUDo6Pf3Yh+jYZSpTRUGpBbTPzg=='); // hYSc6KN6XLQRpyYQe1WyaGERGS9qtoSH9YHCIuZDDLzpL+lDfPeHcePXiNkztOeh1AVNKPLzmX8fvoC4CXCovjDo6Pf3Yh+jYZSpTRUGpBbTPzg==''
$cryptToken = $this->cryptToken('WDU0YXJIVzA1UEw1WHJCUDo6Pf3Yh+jYZSpTRUGpBbTPzg=='); // hYSc6KN6XLQRpyYQe1WyaGERGS9qtoSH9YHCIuZDDLzpL+lDfPeHcePXiNkztOeh1AVNKPLzmX8fvoC4CXCovjDo6Pf3Yh+jYZSpTRUGpBbTPzg==''

We can mail the created $token token, but we will write $cryptToken to the database by associating it with a user or other application entity. In case the database is hacked, our tokens will be protected by the APP_KEY key.

if you change the APP_KEY of your application, all encrypted data stored in it can no longer be decrypted

Receive token data

After sending the application link, to mail or td. /sharedUrl?token=WDU0YXJIVzA1UEw1WHJCUDo6Pf3Yh+jYZSpTRUGpBbbTPzg== we need to understand which user the token belongs to. To do this, we need to compare the encoded values.

$token = "WDU0YXJIVzA1UEw1WHJCUDo6Pf3Yh+jYZSpTRUGpBbTPzg==";

$cryptToken = $this->cryptToken($token); // hYSc6KN6XLQRpyYQe1WyaGERGS9qtoSH9YHCIuZDLzpL+lDfPeHcePXiNkztOeh1AVNKPLzmX8fvoC4CXCovjDo6Pf3Yh+jYZSpTRUGpBbTPzg==

$viewerToken = DB::table('viewer_access_tokens')->where('token', $cryptToken)->first();

Image description

Decrypting a token

To decrypt the created token we will use the parseToken() method. The method accepts the created encrypted token and first extracts IV to decrypt the openssl value.

This method can serve to resend the token to the mail.

public function parseToken(string $token): string
    try {
        [$value, $iv] = explode('::', base64_decode($token));

        return openssl_decrypt($value, 'aes-256-cbc', $this->hashKey, OPENSSL_RAW_DATA, $iv);
    } catch (\Exception $exception) {
        return '';


Laravel provides powerful encryption tools, providing a high level of security for your data. Encryption tools are specific and not always suitable for all projects. A small tweak helps to embrace more features that make the development of secure web applications more affordable and convenient, protecting the confidentiality of information and ensuring reliability.

Similar Articles