New in Symfony 4.4: Encrypted Secrets Management
Storing sensitive application information (passwords, tokens, certificates, etc.) is a challenging task. You cannot rely on traditional configuration files and you cannot rely either on environment variables. That's why in Symfony 4.4 we've added a new encryption-based feature to manage secrets.
Imagine that you want to keep the entire
DATABASE_URL content secret to
avoid leaking the database connection credentials. This is how you can do that:
$ php bin/console secrets:generate-keys
This command generates a pair of keys in
config/secrets/prod/). The public key is used to encrypt secrets and you
should commit it to your shared repository. The private key should not be
committed to the repository and should not be shared in any way.
Step 2. Upload the private key to your remote server using SSH or any other
safe means and store it in the same
Step 3. Create a new secret to store the contents of
1 2 3 4 5 6
$ php bin/console secrets:set DATABASE_URL Please type the secret value: > ************** [OK] Secret "DATABASE_URL" encrypted in "config/secrets/dev/"; you can commit it.
Each secret is stored in its own file inside the
directory. You can commit these files to the repository because their contents
are not accessible unless you also have the private key.
That's all. Use this new secret as any other normal env var in your configuration files and Symfony will decrypt the value transparently when needed:
1 2 3 4 5
# config/packages/doctrine.yaml doctrine: dbal: url: "%env(DATABASE_URL)%" # ...
Repeat the step 3 for all the configuration values that you want to turn into
secrets. Use the other commands to complete the whole secret management
secrets:remove to delete secrets,
secrets:list to show all
the secrets managed by the application,
generate-keys --rotate to change the
existing keys by new ones and re-encrypt all secrets automatically, etc.
New in Symfony 4.4: Encrypted Secrets Management symfony.com/blog/new-in-symfony-4-4-encrypted-secrets-managementTweet this