@@ -720,31 +720,28 @@ Encrypting the Cache
720720
721721.. versionadded :: 5.1
722722
723- :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller ` has been
724- introduced in Symfony 5.1.
723+ The :class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `
724+ class was introduced in Symfony 5.1.
725725
726726To encrypt the cache using ``libsodium ``, you can use the
727727:class: `Symfony\\ Component\\ Cache\\ Marshaller\\ SodiumMarshaller `.
728728
729- .. note ::
730-
731- This will encrypt the values of the cache items, but not the cache keys. Be
732- careful not the leak sensitive data in the keys.
733-
734- Generate a key:
729+ First, you need to generate a secure key and add it to your :doc: `secret
730+ store </configuration/secrets>` as ``CACHE_DECRYPTION_KEY ``:
735731
736732.. code-block :: terminal
737733
738734 $ php -r 'echo base64_encode(sodium_crypto_box_keypair());'
739735
740- :doc: `secret store </configuration/secrets >` as
741- ``CACHE_DECRYPTION_KEY `` and enable the ``SodiumMarshaller ``:
736+ SodiumMarshaller `` service using this key:
742737
743738.. configuration-block ::
744739
745740 .. code-block :: yaml
746741
747742 # config/packages/cache.yaml
743+
744+ # ...
748745 services :
749746 Symfony\Component\Cache\Marshaller\SodiumMarshaller :
750747 decorates : cache.default_marshaller
@@ -766,13 +763,14 @@ And add it to your :doc:`secret store </configuration/secrets>` as
766763 http://symfony.com/schema/dic/symfony
767764 https://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
768765
766+ <!-- ... -->
767+
769768 <services >
770769 <service id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller" decorates =" cache.default_marshaller"
771- <argument >redis://localhost</argument >
772770 <argument type =" collection"
773771 <argument >env(base64:CACHE_DECRYPTION_KEY)</argument >
774772 <!-- use multiple keys in order to rotate them -->
775- <!-- argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument -->
773+ <!-- < argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument> -->
776774 </argument >
777775 <argument type =" service" id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner"
778776 </service >
@@ -783,17 +781,22 @@ And add it to your :doc:`secret store </configuration/secrets>` as
783781
784782 // config/packages/cache.php
785783 use Symfony\Component\Cache\Marshaller\SodiumMarshaller;
784+ use Symfony\Component\DependencyInjection\ChildDefinition;
785+ use Symfony\Component\DependencyInjection\Reference;
786786
787- $container->register(SodiumMarshaller::class)
788- ->decorate( 'cache.default_marshaller')
787+ // ...
788+ $container->setDefinition(SodiumMarshaller::class, new ChildDefinition( 'cache.default_marshaller') )
789789 ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)'])
790790 // use multiple keys in order to rotate them
791- // ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792- ->addArgument(service('@Symfony\Component\Cache\Marshaller\ SodiumMarshaller.inner'));
791+ //->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
792+ ->addArgument(new Reference( SodiumMarshaller::class.' .inner'));
793793
794-
795- add the old encryption key to the service arguments. The first key will be used
796- for reading and writing, and the additional key(s) will only be used for reading.
794+ caution ::
795+
796+ This will encrypt the values of the cache items, but not the cache keys. Be
797+ careful not the leak sensitive data in the keys.
797798
798- Once all cache items encrypted with the old key have expired, you can remove
799- `OLD_CACHE_DECRYPTION_KEY ` completely.
799+ When configuring multiple keys, the first key will be used for reading and
800+ writing, and the additional key(s) will only be used for reading. Once all
801+ cache items encrypted with the old key have expired, you can remove
802+ ``OLD_CACHE_DECRYPTION_KEY `` completely.
0 commit comments