Hunter  Krajcik

Hunter Krajcik


Symfony Secrets Vault Explained in Less Than 5 Minutes

Learn how works Symfony’s vault for your production sensitive information while your coffee is cooling down

A bit of context

Keeping sensitive information in secured places has always been a bit tricky. Where do you store your production database password? Where do you store all the required credentials for your application to work? During my everyday job, I often have to set-up CIs (continuous integrations) and CDs (continuous delivery) with a multitude of tools. These can be Gitlab CI, Bitbucket CI or Github Actions for example. And dealing with sensitive information is always a challenge.

Indeed, you won’t store sensitive production information directly in your source code. It is a security breach, it is way too risky and it just doesn’t work if you’re working on an open-source project.

Talking about open-source, let’s remind that security should never be based on a black-box concept, and all common security algorithms like SHA and alike are open-source. Anybody can know exactly how they works, and it doesn’t mean it isn’t secured. In fact, it’s way more secured, because security researchers and curious people can spot security breaches and fix them.

Keys of Symfony vault

Since Symfony 4.4 (released November 2019), secrets management has been implemented directly in the framework. This powerful solution provides an integrated component to keep your sensitive information secret.

Note: we’re talking about information like database password, API keys, etc. We’re not talking about database encrypted columns, for which you must use other tools specialized for this, like this one .

Here is how it works. For each environment (devprod, etc), you’ll generate 2 keys in config/secrets/{env}:

  • One encryption key: to add new encrypted variables to your application ;
  • One decryption key: to retrieve these variables from the vault.

#devops #security #php #secrets

Symfony Secrets Vault Explained in Less Than 5 Minutes