Question 1

What is encryption key rotation in Laravel 11?

Accepted Answer

Encryption key rotation in Laravel 11 lets me change APP_KEY without instantly breaking everything that was encrypted using the old key. Laravel keeps using the current key to encrypt new values, but when decrypting it can fall back to older keys. That’s done by listing old keys in APP_PREVIOUS_KEYS.

Question 2

Why do I get “MAC is invalid” after changing APP_KEY?

Accepted Answer

Because the encrypted value was created with a different key than the one you’re using now. In my demo, after I generate a new APP_KEY, refreshing the decrypt route fails with “MAC is invalid.” Laravel can’t validate or decrypt that payload with the new key unless I provide the previous key.

Question 3

How do I set APP_PREVIOUS_KEYS in Laravel?

Accepted Answer

I add a new env variable called APP_PREVIOUS_KEYS and put the old APP_KEY value in there. Laravel supports a comma-delimited list, so you can keep multiple previous keys if needed. Once that’s set, decrypt will try the current key first and then the previous ones.

Question 4

Does rotating the encryption key log users out in Laravel?

Accepted Answer

Yes, if you rotate the key without handling previous keys, users can get logged out because cookies (including sessions) are encrypted. That’s why this feature matters—graceful decryption helps keep things working while you rotate keys. The goal is to avoid breaking existing encrypted cookies and data.

Question 5

How do I rotate APP_KEY safely in Laravel 11?

Accepted Answer

What I do is copy the current APP_KEY into APP_PREVIOUS_KEYS first. Then I run php artisan key:generate to create a new APP_KEY. After that, Laravel can still decrypt older values using the previous key while encrypting new values with the new key.

Question 6

Can Laravel decrypt values encrypted with older keys?

Accepted Answer

Yes, that’s exactly what I show. Laravel will attempt decryption with the current key, and if it fails, it will try the keys listed in APP_PREVIOUS_KEYS. That’s why the decrypt route starts working again after I add the previous key.

Question 7

Where did you demo encryption and decryption in the video?

Accepted Answer

I did it in routes/web.php with two quick routes: one for encrypt and one for decrypt. I pass a data query parameter, encrypt it, copy the encrypted string, then paste it into the decrypt route. It’s a simple way to see the behavior before and after key rotation.

New in Laravel 11 - Encryption Key Rotation

🛍️ Products Mentioned (2)

30% DISCOUNT ON ALL PLANS OF CLOUDWAYS HOSTING FOR 3 MONTHS

Fonts, extensions I use, and Support Laratips links

About This Video

Frequently Asked Questions

🎬 More from Laratips