It was 1:45PM on a Sunday afternoon. I was having a discussion about TLS/SSL with my wife, who happened to be a Senior Cybersecurity Consultant at one of the Big-Fours, when the topic of hashing and encryption crept into the conversation. Most of my thoughts during the conversation revolved around software development — I mean, it is what I do.
I have been developing solutions with the Laravel framework for a while now, but I have little idea of how encryption works in detail. All I know is that it uses the key generated during installation in the .env file, APP_KEY, for encryption. I also know about secure password hashing using Bcrypt driver: Hash::make('password').
However, I never paid detailed attention to the topic of encryption and its difference from hashing, especially in relation to Laravel and security in software systems. I was had a misconception that the app key is also used in password hashing before this whole conversation — just like the creator of the Laravel framework, Taylor Otwell, clarified years back on Twitter, now X.
Below is a breakdown of my findings about Encryption, Hashing and the difference between the two. And also how they’re utilized in Laravel framework.
Encryption
This is said to be a two-way function, meaning whatever data you encrypt can be decrypted. This is what the env variable APP_KEY is used for in Laravel. It is used for securing storage such as cookies, session data, API tokens, and more.
A simple example is; When a user is authenticated in a Laravel Application, the cookies and session data is encrypted using the current APP_KEY. When a new key is generated, then the user gets automatically logged out of the application.
Below is a simple example from the Laravel documentation on encrypting a string:
user()->fill([
'token' => Crypt::encryptString($request->token),
])->save();
return redirect('/secrets');
}
}
Hashing
Hashing, on the other hand, is a one-way function. This means that when data is hashed, it cannot be reversed to its original form. This is used mainly to store data that can be verified but not in its original form. For example, hashing a user’s password and then storing the hashed form of the password in the database. Whoever that has access to the records cannot tell what the password is because it hashed. And then during Authentication, the password entered by the user will be hashed first, and then compared with the one stored in database.
The default hashing driver is used in the Laravel framework is Bcrypt.
Below is a very snippet from the documentation that depicts the most common hashing implementation:
user()->fill([
'password' => Hash::make($request->newPassword)
])->save();
return redirect('/profile');
}
}
I hope it is an interesting read and discovery for you as it was for me, that Encryption and Hashing are fundamentally different security concepts with different use cases in Laravel. See you on the next one!
