Laravel Model Encryption Laravel Package

Product Decisions This Supports

• Compliance & Security Roadmap: Enables encryption-at-rest for sensitive fields (e.g., PII, financial data, health records) without manual implementation, aligning with GDPR, HIPAA, or PCI-DSS requirements.
• Build vs. Buy: Avoids reinventing encryption logic (e.g., custom getAttribute/setAttribute overrides) while maintaining flexibility for future security updates.
• Use Cases:
  • Sensitive Data Protection: Automatically encrypts fields like password, ssn, credit_card, or medical_history in Eloquent models.
  • Multi-Tenant SaaS: Isolates tenant data encryption keys per environment (e.g., config/encrypt.php supports per-field key configurations).
  • Legacy System Migration: Secures existing Laravel apps with minimal refactoring by adding the trait to models.
  • Audit-Ready Encryption: Logs encryption events (via Laravel’s query logging) for compliance tracking.

When to Consider This Package

• Adopt When:

  • Your Laravel app stores regulated or high-value sensitive data requiring encryption-at-rest.
  • You need consistent encryption across multiple models without duplicating logic.
  • Your team lacks dedicated cryptography expertise but requires production-grade encryption.
  • You’re using Laravel 5.5+ (Eloquent trait compatibility) and need a low-maintenance solution.
  • Your security budget prioritizes developer velocity over custom-built solutions.

• Look Elsewhere If:

  • You need field-level granularity (e.g., encrypt only parts of a string) beyond the package’s ENCRYPT_* naming convention.
  • Your encryption requirements involve hardware security modules (HSMs) or client-side encryption.
  • You’re using non-Eloquent data layers (e.g., raw SQL queries, non-Laravel ORMs).
  • Your compliance needs demand audit trails for every encryption key rotation (this package lacks built-in key management).
  • You require performance optimization for high-throughput systems (encryption adds ~10–50ms per field; benchmark before adoption).

How to Pitch It (Stakeholders)

For Executives:

"This package lets us encrypt sensitive customer data automatically—without hiring a cryptographer or rewriting our models. It’s like adding a ‘security firewall’ to our database with a single line of code per model. For example, we could encrypt credit card numbers or medical records in our patient portal with zero manual effort, reducing compliance risk while keeping development costs low. The trade-off is minimal performance overhead (handled by Laravel’s caching), and it’s already battle-tested in production."

Key Ask: "Should we allocate 2 dev-days to integrate this for our highest-risk data fields?"

For Engineering:

*"This solves our recurring problem of manually encrypting PII in Eloquent models. Here’s how it works:

• Install: composer require magros/laravel-model-encryption + publish config.
• Usage: Add use \Magros\Encryptable\Encryptable; to any model, then prefix fields to encrypt (e.g., ENCRYPT_ssn). The trait handles the rest.
• Pros:
  • No ORM changes: Works with existing migrations, queries, and relationships.
  • Configurable: Set encryption keys per field/environment in config/encrypt.php.
  • Open-source: Apache 2.0 license; we can fork if needed.
• Cons:
  • No built-in key rotation: We’d need to add a cron job or use Laravel Forge/Envoyer for key management.
  • Limited to Eloquent: Won’t help with raw SQL or non-Laravel layers.

Recommendation: Pilot this on our User model’s ssn and credit_card fields. If it meets our performance and compliance needs, we can roll it out to other sensitive models."*

Key Ask: "Can we test this in staging with our users table’s PII fields by [date]?"