Security Vulnerabilities

[paragonie-security]

Insecure Key Management

This is not a secure way to derive a secret. You're hashing data using SHA256, hex-encoded, then only extracting 16 hex characters.

laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php

Line 84 in 8856e2e

$salt = substr(hash('sha256', config('laravelDatabaseEncryption.encrypt_key')), 0, 16);

laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php

Line 60 in 8856e2e

$salt = substr(hash('sha256', config('laravelDatabaseEncryption.encrypt_key')), 0, 16);

This gives you an output that is the square root of the security you expect.

This is also called a "salt" but it's actually an AES key, as we'll see in the next section.

Insecure Encryption

AES_ENCRYPT() encrypts data using ECB mode, and also exposes your key (called a "salt" per the previous section) to anyone capable of running SHOW PROCESSLIST on the server.

laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php

Line 67 in 8856e2e

$data = DB::table($parameters[0])->whereRaw("CONVERT(AES_DECRYPT(FROM_BASE64(`{$parameters[1]}`), '{$salt}') USING utf8mb4) = '{$value}' ");

laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php

Line 94 in 8856e2e

$data = DB::table($parameters[0])->whereRaw("CONVERT(AES_DECRYPT(FROM_BASE64(`{$parameters[1]}`), '{$salt}') USING utf8mb4) = '{$value}' ");

Recommendations

Fixing these vulnerabilities would require rearchitecting this library from the ground up with secure data encryption practices in mind. If you managed to make it secure, it would not be compatible with the current implementation. Therefore, you would be better off starting over from scratch.

We have an open source library that provides secure searchable field-level encryption that may be a better starting point than AES_ENCRYPT().