@@ -720,31 +720,28 @@ Encrypting the Cache
720
720
721
721
.. versionadded :: 5.1
722
722
723
- :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller ` has been
724
- introduced in Symfony 5.1.
723
+ The :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `
724
+ class was introduced in Symfony 5.1.
725
725
726
726
To encrypt the cache using ``libsodium ``, you can use the
727
727
:class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `.
728
728
729
- .. note ::
730
-
731
- This will encrypt the values of the cache items, but not the cache keys. Be
732
- careful not the leak sensitive data in the keys.
733
-
734
- Generate a key:
729
+ First, you need to generate a secure key and add it to your :doc: `secret
730
+ store </configuration/secrets>` as ``CACHE_DECRYPTION_KEY ``:
735
731
736
732
.. code-block :: terminal
737
733
738
734
$ php -r 'echo base64_encode(sodium_crypto_box_keypair());'
739
735
740
- And add it to your :doc: `secret store </configuration/secrets >` as
741
- ``CACHE_DECRYPTION_KEY `` and enable the ``SodiumMarshaller ``:
736
+ Then, register the ``SodiumMarshaller `` service using this key:
742
737
743
738
.. configuration-block ::
744
739
745
740
.. code-block :: yaml
746
741
747
742
# config/packages/cache.yaml
743
+
744
+ # ...
748
745
services :
749
746
Symfony\Component\Cache\Marshaller\SodiumMarshaller :
750
747
decorates : cache.default_marshaller
@@ -766,13 +763,14 @@ And add it to your :doc:`secret store </configuration/secrets>` as
766
763
http://symfony.com/schema/dic/symfony
767
764
https://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
768
765
766
+ <!-- ... -->
767
+
769
768
<services >
770
769
<service id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller" decorates =" cache.default_marshaller" >
771
- <argument >redis://localhost</argument >
772
770
<argument type =" collection" >
773
771
<argument >env(base64:CACHE_DECRYPTION_KEY)</argument >
774
772
<!-- use multiple keys in order to rotate them -->
775
- <!-- argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument -->
773
+ <!-- < argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument> -->
776
774
</argument >
777
775
<argument type =" service" id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner" />
778
776
</service >
@@ -783,17 +781,22 @@ And add it to your :doc:`secret store </configuration/secrets>` as
783
781
784
782
// config/packages/cache.php
785
783
use Symfony\Component\Cache\Marshaller\SodiumMarshaller;
784
+ use Symfony\Component\DependencyInjection\ChildDefinition;
785
+ use Symfony\Component\DependencyInjection\Reference;
786
786
787
- $container->register(SodiumMarshaller::class)
788
- ->decorate( 'cache.default_marshaller')
787
+ // ...
788
+ $container->setDefinition(SodiumMarshaller::class, new ChildDefinition( 'cache.default_marshaller') )
789
789
->addArgument(['env(base64:CACHE_DECRYPTION_KEY)'])
790
790
// use multiple keys in order to rotate them
791
- // ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792
- ->addArgument(service('@Symfony\Component\Cache\Marshaller\ SodiumMarshaller.inner'));
791
+ //->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792
+ ->addArgument(new Reference( SodiumMarshaller::class.' .inner'));
793
793
794
- To rotate your encryption keys but still be able to read existing cache entries,
795
- add the old encryption key to the service arguments. The first key will be used
796
- for reading and writing, and the additional key(s) will only be used for reading.
794
+ .. caution ::
795
+
796
+ This will encrypt the values of the cache items, but not the cache keys. Be
797
+ careful not the leak sensitive data in the keys.
797
798
798
- Once all cache items encrypted with the old key have expired, you can remove
799
- `OLD_CACHE_DECRYPTION_KEY ` completely.
799
+ When configuring multiple keys, the first key will be used for reading and
800
+ writing, and the additional key(s) will only be used for reading. Once all
801
+ cache items encrypted with the old key have expired, you can remove
802
+ ``OLD_CACHE_DECRYPTION_KEY `` completely.
0 commit comments