10000 [#14658] Minor tweaks to cache encryption section · symfony/symfony-docs@54fdf7a · GitHub
[go: up one dir, main page]

Skip to content

Commit 54fdf7a

Browse files
committed
[#14658] Minor tweaks to cache encryption section
1 parent 078cf6a commit 54fdf7a

File tree

1 file changed

+24
-21
lines changed

1 file changed

+24
-21
lines changed

cache.rst

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -720,31 +720,28 @@ Encrypting the Cache
720720

721721
.. versionadded:: 5.1
722722

723-
:class:`Symfony\\Component\\Cache\\Marshaller\\SodiumMarshaller` has been
724-
introduced in Symfony 5.1.
723+
The :class:`Symfony\\Component\\Cache\\Marshaller\\SodiumMarshaller`
724+
class was introduced in Symfony 5.1.
725725

726726
To encrypt the cache using ``libsodium``, you can use the
727727
:class:`Symfony\\Component\\Cache\\Marshaller\\SodiumMarshaller`.
728728

729-
.. note::
730-
731-
This will encrypt the values of the cache items, but not the cache keys. Be
732-
careful not the leak sensitive data in the keys.
733-
734-
Generate a key:
729+
First, you need to generate a secure key and add it to your :doc:`secret
730+
store </configuration/secrets>` as ``CACHE_DECRYPTION_KEY``:
735731

736732
.. code-block:: terminal
737733
738734
$ php -r 'echo base64_encode(sodium_crypto_box_keypair());'
739735
740-
And add it to your :doc:`secret store </configuration/secrets>` as
741-
``CACHE_DECRYPTION_KEY`` and enable the ``SodiumMarshaller``:
736+
Then, register the ``SodiumMarshaller`` service using this key:
742737

743738
.. configuration-block::
744739

745740
.. code-block:: yaml
746741
747742
# config/packages/cache.yaml
743+
744+
# ...
748745
services:
749746
Symfony\Component\Cache\Marshaller\SodiumMarshaller:
750747
decorates: cache.default_marshaller
@@ -766,13 +763,14 @@ And add it to your :doc:`secret store </configuration/secrets>` as
766763
http://symfony.com/schema/dic/symfony
767764
https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
768765
766+
<!-- ... -->
767+
769768
<services>
770769
<service id="Symfony\Component\Cache\Marshaller\SodiumMarshaller" decorates="cache.default_marshaller">
771-
<argument>redis://localhost</argument>
772770
<argument type="collection">
773771
<argument>env(base64:CACHE_DECRYPTION_KEY)</argument>
774772
<!-- use multiple keys in order to rotate them -->
775-
<!-- argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument -->
773+
<!-- <argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument> -->
776774
</argument>
777775
<argument type="service" id="Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner"/>
778776
</service>
@@ -783,17 +781,22 @@ And add it to your :doc:`secret store </configuration/secrets>` as
783781
784782
// config/packages/cache.php
785783
use Symfony\Component\Cache\Marshaller\SodiumMarshaller;
784+
use Symfony\Component\DependencyInjection\ChildDefinition;
785+
use Symfony\Component\DependencyInjection\Reference;
786786
787-
$container->register(SodiumMarshaller::class)
788-
->decorate('cache.default_marshaller')
787+
// ...
788+
$container->setDefinition(SodiumMarshaller::class, new ChildDefinition('cache.default_marshaller'))
789789
->addArgument(['env(base64:CACHE_DECRYPTION_KEY)'])
790790
// use multiple keys in order to rotate them
791-
// ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792-
->addArgument(service('@Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'));
791+
//->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792+
->addArgument(new Reference(SodiumMarshaller::class.'.inner'));
793793
794-
To rotate your encryption keys but still be able to read existing cache entries,
795-
add the old encryption key to the service arguments. The first key will be used
796-
for reading and writing, and the additional key(s) will only be used for reading.
794+
.. caution::
795+
796+
This will encrypt the values of the cache items, but not the cache keys. Be
797+
careful not the leak sensitive data in the keys.
797798

798-
Once all cache items encrypted with the old key have expired, you can remove
799-
`OLD_CACHE_DECRYPTION_KEY` completely.
799+
When configuring multiple keys, the first key will be used for reading and
800+
writing, and the additional key(s) will only be used for reading. Once all
801+
cache items encrypted with the old key have expired, you can remove
802+
``OLD_CACHE_DECRYPTION_KEY`` completely.

0 commit comments

Comments
 (0)
0