Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x] Improve APP_KEY documentation #5655

Closed
wants to merge 1 commit into from
Closed

[8.x] Improve APP_KEY documentation #5655

wants to merge 1 commit into from

Conversation

CrimsonGlory
Copy link

I'm reopening the discussion of a previous pull request from @sdwolfz where the user suggested changing "32 characters" for "42 characters", after trying to generate the string without artisan and finding out the app would not start. The number is actually 32, but bytes, not characters. Per strlen() documentation:
strlen() returns the number of bytes rather than the number of characters in a string.

A few points:

  • A byte may be interpreted as a character or may not. In this case, because this is used for cryptography, the word "character" does not apply.
  • Bytes in text have to be encoded. In this case laravel uses base64.
  • Given that if the decoded length is incorrect, the app would not work (according to the linked PR), I changed the word "should" for the word "must".

I have changed the documentation so that these points are clear.

Btw, the length of each comment line might look familiar ;)

$ echo -n "This key is used by the Illuminate encrypter service and must be set to" | wc -m
71
$ echo -n "a random 32 bytes base64 encoded string, otherwise encrypted strings" | wc -m
68
$ echo -n "will not be safe. Please do this before deploying an application!" | wc -m
65

@GrahamCampbell GrahamCampbell changed the title Improve APP_KEY documentation [8.x] Improve APP_KEY documentation Aug 1, 2021
@GrahamCampbell
Copy link
Member

This description is still wrong. You don’t have to set it to a base64 encoded key. You can just type in 32 characters.

@CrimsonGlory
Copy link
Author

ok. I just took a look at the source code to see what the app actually does, because this seems to be causing some confusion.

        $key = $this->app['config']['app.key'];

        if (Str::startsWith($key, 'base64:')) {
            $key = base64_decode(substr($key, 7));
        }

The app accepts a securely random generated 32 bytes base64 encoded string prepended with "base64:" like this APP_KEY=base64:nZt3ifjsspgF1ZHQaOBd4l2P1r+7XGrgPJ/iyVnLXD0=. But it also accepts a not-that-secure random 32 character string like this: APP_KEY=01234567890123456789012345678901. Oddly, the 3-line comment suggest the latter one. Anything else will crash with the message "The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths". I think everything is clear now.

Btw, it would be a shame if the random 32 character string just happen to start with "base64:" ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CrimsonGlory @GrahamCampbell @taylorotwell