Laravel Ciphersweet Laravel Package

Product Decisions This Supports

• Compliance & Security Roadmap: Enables GDPR, CCPA, or HIPAA compliance by encrypting sensitive PII (Personally Identifiable Information) at rest, reducing exposure risks in data breaches.
• Build vs. Buy: Avoids reinventing encryption infrastructure; leverages battle-tested CipherSweet (used by companies like GitHub) via a Laravel-friendly wrapper.
• Use Cases:
  • Healthcare: Encrypt patient records (e.g., SSNs, medical histories) while allowing authorized queries (e.g., "find patients with diabetes").
  • Finance: Secure customer data (e.g., credit card numbers, tax IDs) with searchable encryption for fraud detection.
  • Regulated Industries: Audit-ready encryption for legal/financial data where plaintext storage is prohibited.
• Performance Optimization: Field-level encryption reduces database bloat by avoiding full-table encryption, improving query speeds for non-sensitive data.
• Future-Proofing: Supports deterministic encryption (for exact matches) and probabilistic encryption (for fuzzy searches), enabling advanced features like:
  • Search-as-you-type for encrypted fields (e.g., autocomplete for encrypted names).
  • Range queries (e.g., "ages 18–25") without decrypting all records.

When to Consider This Package

Adopt if:

• Your Laravel app stores sensitive PII (e.g., SSNs, health records, payment details) and requires compliance with privacy laws.
• You need searchable encryption (e.g., filtering encrypted data without decrypting everything).
• Your team lacks cryptography expertise; prefer a maintained, audited library over custom solutions.
• You’re using PostgreSQL (primary DB support; MySQL support is limited to basic encryption).

Look elsewhere if:

• You only need basic encryption (e.g., for non-searchable fields) → Use Laravel’s built-in encrypt().
• Your app is low-risk (e.g., public blogs) or stores no sensitive data.
• You require client-side encryption (e.g., for end-to-end encryption) → Consider libraries like Tink or SQLite Encryption.
• Your team needs multi-cloud key management → Evaluate AWS KMS or HashiCorp Vault integrations.
• You’re using SQLite (limited support; prioritize PostgreSQL/MySQL).

How to Pitch It (Stakeholders)

For Executives: "This package lets us encrypt sensitive customer data—like medical records or payment info—so even if our database is breached, hackers can’t read it. It’s like a digital vault for our most critical data, but with a clever twist: we can still search and filter it without exposing everything. Used by companies like GitHub, it’s a proven way to meet GDPR/CCPA requirements while keeping our systems fast. The cost? Minimal—just a few hours to integrate, with long-term savings from avoiding fines or reputational damage."

For Engineers: *"Spatie’s Laravel-CipherSweet wraps CipherSweet, a high-performance library for searchable field-level encryption. Key benefits:

• No full-table encryption: Only encrypt sensitive columns (e.g., ssn, credit_card), leaving the rest unencrypted for performance.
• Query flexibility: Supports exact matches (deterministic) and fuzzy searches (probabilistic) on encrypted data.
• PostgreSQL-optimized: Uses pgcrypto for efficiency; MySQL support is basic.
• Easy to adopt: Laravel service provider + Eloquent traits—just add use CipherSweet to your models. Tradeoff: Slightly higher query complexity for encrypted searches (but negligible for most use cases). Ideal if you’re storing PII and need compliance without sacrificing functionality."*

For Compliance/Privacy Teams: *"This solves two critical gaps:

1. Encryption at rest: Sensitive data is unreadable without our decryption keys.
2. Searchability: We can still enforce access controls (e.g., ‘only show records for authorized users’) without decrypting everything. Example: A doctor’s app can search for ‘patient with diabetes’ without exposing all patient records. Audit logs track who accesses encrypted data, meeting HIPAA/GDPR requirements."*