@@ -719,3 +719,89 @@ Clear all caches everywhere:
719719.. code-block :: terminal
720720
721721 $ php bin/console cache:pool:clear cache.global_clearer
722+
723+
724+ --------------------
725+
726+ .. versionadded :: 5.1
727+
728+ The :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `
729+ class was introduced in Symfony 5.1.
730+
731+ To encrypt the cache using ``libsodium ``, you can use the
732+ :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `.
733+
734+ First, you need to generate a secure key and add it to your :doc: `secret
735+ store </configuration/secrets>` as ``CACHE_DECRYPTION_KEY ``:
736+
737+ .. code-block :: terminal
738+
739+ $ php -r 'echo base64_encode(sodium_crypto_box_keypair());'
740+
741+ SodiumMarshaller `` service using this key:
742+
743+ .. configuration-block ::
744+
745+ .. code-block :: yaml
746+
747+ # config/packages/cache.yaml
748+
749+ # ...
750+ services :
751+ Symfony\Component\Cache\Marshaller\SodiumMarshaller :
752+ decorates : cache.default_marshaller
753+ arguments :
754+ - ['%env(base64:CACHE_DECRYPTION_KEY)%']
755+ # use multiple keys in order to rotate them
756+ # - ['%env(base64:CACHE_DECRYPTION_KEY)%', '%env(base64:OLD_CACHE_DECRYPTION_KEY)%']
757+ - ' @Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'
758+
759+ code-block :: xml
760+
761+ <!-- config/packages/cache.xml -->
762+ <?xml version =" 1.0" encoding =" UTF-8"
763+ <container xmlns =" http://symfony.com/schema/dic/services"
764+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
765+ xmlns : framework =" http://symfony.com/schema/dic/symfony"
766+ xsi : schemaLocation =" http://symfony.com/schema/dic/services
767+ https://symfony.com/schema/dic/services/services-1.0.xsd
768+ http://symfony.com/schema/dic/symfony
769+ https://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
770+
771+ <!-- ... -->
772+
773+ <services >
774+ <service id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller" decorates =" cache.default_marshaller"
775+ <argument type =" collection"
776+ <argument >env(base64:CACHE_DECRYPTION_KEY)</argument >
777+ <!-- use multiple keys in order to rotate them -->
778+ <!-- <argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument> -->
779+ </argument >
780+ <argument type =" service" id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner"
781+ </service >
782+ </services >
783+ </container >
784+
785+ code-block :: php
786+
787+ // config/packages/cache.php
788+ use Symfony\Component\Cache\Marshaller\SodiumMarshaller;
789+ use Symfony\Component\DependencyInjection\ChildDefinition;
790+ use Symfony\Component\DependencyInjection\Reference;
791+
792+ // ...
793+ $container->setDefinition(SodiumMarshaller::class, new ChildDefinition('cache.default_marshaller'))
794+ ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)'])
795+ // use multiple keys in order to rotate them
796+ //->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
797+ ->addArgument(new Reference(SodiumMarshaller::class.'.inner'));
798+
799+ caution ::
800+
801+ This will encrypt the values of the cache items, but not the cache keys. Be
802+ careful not the leak sensitive data in the keys.
803+
804+ When configuring multiple keys, the first key will be used for reading and
805+ writing, and the additional key(s) will only be used for reading. Once all
806+ cache items encrypted with the old key have expired, you can remove
807+ ``OLD_CACHE_DECRYPTION_KEY `` completely.
0 commit comments