- Generate the keys used to encrypt/decrypt secrets:
php bin/console secrets:generate-keys
This command generates a pair of keys in config/secrets/dev/ (or config/secrets/prod/). The public key is used to encrypt secrets and you should commit it to your shared repository. The private key should not be committed to the repository and should not be shared in any way. - If you already have keys, but want to update them:
secrets:generate-keys --rotate
- Upload the private key to your remote server using SSH or any other safe means and store it in the same config/secrets// directory.
- Create a new secret to store the contents of DATABASE_URL:
php bin/console secrets:set DATABASE_URL
or generate new value:php bin/console secrets:set REMEMBER_ME --random
- Each secret is stored in its own file inside the config/secrets// directory. You can commit these files to the repository because their contents are not accessible unless you also have the private key.
- That's all. Use this new secret as any other normal env var in your configuration files and Symfony will decrypt the value transparently when needed:
'%env(DATABASE_PASSWORD)%'
- You can add
--env=prod
to specify environment in all commands
php bin/console secrets:list --reveal
php bin/console secrets:remove DATABASE_PASSWORD