StackShield

Laravel Weak Encryption Cipher: How to Ensure AES-256-CBC Is Configured Correctly

A non-standard cipher in config/app.php weakens all encryption in your application. Verify AES-256-CBC is set and your APP_KEY matches.

Medium severity Application Security Updated 2026-05-01

The Problem

Laravel's encryption system uses the cipher configured in config/app.php. The default and recommended cipher is AES-256-CBC, which provides strong symmetric encryption. If this setting is changed to a weaker cipher (like AES-128-CBC, DES, or a custom value), all encrypted data — including sessions, cookies, and Crypt::encrypt() values — uses weaker protection. A mismatched cipher and key length also causes encryption failures.

How to Fix

  1. 1

    Verify your cipher configuration

    Check config/app.php:

    'cipher' => 'AES-256-CBC',

    This should be exactly AES-256-CBC (the Laravel default). If you see AES-128-CBC, DES, or any other value, change it back.

    Also verify via artisan:

    php artisan tinker
>>> config('app.cipher')
# Should output: AES-256-CBC
  2. 2

    Ensure your APP_KEY matches the cipher

    AES-256-CBC requires a 32-byte key. AES-128-CBC requires a 16-byte key.

    Verify your key length:

    php artisan tinker
>>> strlen(base64_decode(Str::after(config('app.key'), 'base64:')))
# Should output: 32 for AES-256-CBC

    If the key length is wrong, generate a new key:

    php artisan key:generate

    Warning: Regenerating the key invalidates all existing encrypted data and sessions.

  3. 3

    Do not override the cipher in environment files

    Check that .env does not contain a cipher override:

    grep -i cipher .env
    The cipher should only be set in config/app.php, not in .env. If present in .env, remove it and let the config file handle it:
    // config/app.php — correct
'cipher' => 'AES-256-CBC',
    // Do NOT put in .env
// APP_CIPHER=AES-128-CBC  ← remove this

How to Verify

Verify encryption works correctly:

php artisan tinker
>>> encrypt('test')
# Should return a long encrypted string
>>> decrypt(encrypt('test'))
# Should return: test

Run php artisan stackshield:scan --check=SS011 to verify.

Prevention

Never modify the cipher setting from the Laravel default. If you upgraded from an older Laravel version that used AES-128-CBC, migrate to AES-256-CBC by regenerating the key and re-encrypting any stored data.

Frequently Asked Questions

Is AES-128-CBC insecure?

AES-128-CBC is not broken, but AES-256-CBC provides a larger margin of safety. Since Laravel defaults to AES-256-CBC and there is no performance difference for typical use, there is no reason to use the weaker option.

What happens if I change the cipher?

All data encrypted with the old cipher becomes undecryptable. Sessions are invalidated, encrypted database columns become unreadable, and signed cookies fail. Only change the cipher if you also regenerate the key and re-encrypt all data.

Related Guides

Critical

Laravel APP_KEY Security: How to Generate, Rotate, and Protect Your Encryption Key

A missing, short, or committed APP_KEY compromises session encryption, signed URLs, and all data encrypted with Crypt. Generate a strong key and keep it out of Git.
High

Laravel Session Security: Fix Insecure Cookie Config (Secure, HttpOnly, SameSite)

Laravel session cookies missing Secure, HttpOnly, or SameSite flags? Fix your config/session.php to prevent session hijacking, cookie theft, and CSRF attacks.
High

Hardcoded Credentials in Laravel: How to Find and Remove Secrets from Source Code

API keys, passwords, and secrets committed to source code are exposed to anyone with repository access. Move them to environment variables before they leak.

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial