In Laravel, how would one encrypt email address of users? Like, it should be only be decrypted by users credentials e.g password etc (which only he knows). But then question arise, how would then app send important emails to that user..?
If your DB is on the same server as your application, encrypt the EMAIL also has mostly zero benifit as you would store encryption codes also on the same server.
What are in your case "important emails"? For login, password reset you only require a HASH no encryption, storing hashes is the best for the enduser. As in case of matching hash you can get the the email from the request and send a email then.
You only require the email for notifications which you may want in your app make it possible to loginEmail != notificationEmail of a user and so only store that as clear text.
Still want toe encrypt something, have a look at: laraveldaily.com/post/laravel-encrypt-models-data-with-casts
They said "it should be only be decrypted by users credentials e.g password etc (which only he knows)"
Is there any package around in your knowledge which provides a solution from this requirement?
Why you need package!
Just get key from user and tell them that keep it with you and only with you (in professional language yeah)
You just need to do
// Yeah you need to do some tweaks with key before passing it to encrypter!
$encrypter = new Encrypter($keyFromUser);Then "async" notfications are not a thing then. Which leads back my the original question: What are in that case "important emails"?
Not password resets, obviously. No longer possible because the user forgot their password and now the email can't be decrypted. I'm not sure what problem the original question is trying to solve but it introduces so many new problems it doesn't sound like it would be worth any effort spent on this. I would love to know more about the problem vs the proposed solution of encrypting the user email.
If you don't need to ever send emails then you could just hash the email just like you do with the passwords. If you want to still email these users you could put the hashmap on another server but still nothing secure about this. Just more complex.
What is the goal here?
You don't require decrypt the email for Password Reset if you just hash the email with a known application secret. This way you not require save plain email adress or even a decryptable Email adresses you just need find the matching user by a emailHash.
Pseude Code:
$submittedResetEmail = $request->query->get('email');
$hashEmail = SHA1($submittedResetEmail . $appSecretSalt);
$users = SELECT * FROM users WHERE emailHash = :hashEmail
if (count($users)) { // userHash found send reset email to:
sendEmail($submittedResetEmail);
}
Okay there are a few considerations here. If you want to encrypt stuff in your database, you can use Laravel's encryption helpers to encrypt/decrypt Eloquent fields automatically.
BUT: You need to consider the actual security issue you are trying to prevent. Are you trying to protect the database in case of a leak? Because whatever method you use, if your app can decrypt something, that's because the server has access to the secret. And if your database is compromised, then so will that secret be.
This assumes you have the database on the same server sa the app of course. If you use a remote database then encryption at rest may be useful. But in either case, you need to first think about which problem you are trying to solve.
