Doctrine Extensions Bundle Laravel Package

Product Decisions This Supports

• Compliance-Driven Roadmap: Enables GDPR/HIPAA/PCI-DSS compliance by transparently encrypting sensitive fields (e.g., PII, payment data) at the database layer, reducing audit risk and manual encryption logic.
• Build vs. Buy: Eliminates the need to build custom encryption solutions, saving 30–50% development time while leveraging AES-256 with nonce-based integrity checks.
• Use Cases:
  • Legacy System Security: Secure sensitive data in existing Doctrine-based applications without major refactoring.
  • Multi-Tenant SaaS: Encrypt tenant-specific data (e.g., API keys, tokens) at the field level to isolate breaches.
  • Audit-Ready Encryption: Extend Doctrine lifecycle callbacks for SIEM integration and access logging.
  • Field-Level Granularity: Encrypt only critical fields (e.g., ssn, credit_card) without overhauling the entire database schema.

When to Consider This Package

• Adopt When:
  • Your application uses Doctrine ORM and stores sensitive string data (e.g., passwords, medical records, financial tokens).
  • You need transparent encryption (no application-layer changes) but require selective field encryption.
  • Compliance requirements demand audit trails for encrypted data access (extendable via Doctrine events).
  • You’re not using Laravel’s built-in encryption and need binary storage for nonces/encrypted values.
• Look Elsewhere If:
  • You require client-side encryption (e.g., zero-trust models) → Use Tink or Libsodium.
  • Your data is non-string (e.g., files, blobs) → Consider AWS KMS or Hashicorp Vault.
  • You need hardware-backed encryption (e.g., HSMs) → Integrate AWS CloudHSM or Azure Key Vault.
  • Your team lacks Doctrine expertise → Evaluate simpler packages like spatie/laravel-encryption (Laravel-specific).

How to Pitch It (Stakeholders)

For Executives: "This bundle automates the encryption of sensitive customer data—like credit card numbers or medical records—without rewriting our application. It acts as a database-level firewall: even if someone breaches our database, they can’t read the raw data. It’s open-source (MIT license), integrates in under 15 minutes, and directly supports GDPR/HIPAA compliance. The cost? Zero. The risk? Minimal—we control the encryption keys, and it’s designed for PHP ecosystems."

For Engineering: *"This solves our selective encryption problem efficiently:

• Doctrine-native: Works seamlessly with existing entities—no ORM workarounds.
• Performance: Encryption happens once per write, not per query, minimizing overhead.
• Extensible: Hook into prePersist/preUpdate for custom logic (e.g., key rotation or logging).
• Binary storage: Uses BINARY columns for nonces/encrypted values—no bloated text blobs. Tradeoff: It’s not Laravel-specific, but we can wrap it in a custom trait if needed. Let’s prototype encrypting User::ssn and Payment::cardNumber—I’ll show you how it works in three lines of entity code."*

For Security/Compliance: *"This gives us:

1. Field-level encryption: Only sensitive data is encrypted, reducing unnecessary overhead.
2. Nonce integrity: Prevents tampering with encrypted values, ensuring data authenticity.
3. Audit hooks: Extend lifecycle callbacks to log access to encrypted data (integrates with SIEM tools). Gap: We’ll need to secure the encryption key (e.g., using AWS KMS or HashiCorp Vault)—but that’s a separate, controlled project."*