sajad torkamani

Symfony secrets management system

25 July 2025 (Updated 25 July 2025)
On this page
What is Symfony secrets?
Getting started
Generate cryptographic keys for development
Generate cryptographic keys for other environments (staging, prod etc)
Create or update secrets
Reference secrets in config files
Reveal existing secrets
Remove secret
Override secrets locally
Setting secrets in the test environment
Deploying secrets to production
Links

What is Symfony secrets?

Symfony provides a secrets management system that helps you securely store sensitive information when environment variables fall short or are inconvenient.

Getting started

You’ll need to generate your asymmetric cryptographic keys first for each environment.

Generate cryptographic keys for development

Generate it for development first:

php bin/console secrets:generate-keys

This should give you two new files:

  • config/secrets/dev/dev.decrypt.private.php
  • config/secrets/dev/dev.encrypt.public.php

Update your .gitignore file so that the config/secrets/dev/dev.decrypt.private.php file isn’t committed to Git.

You can commit this if your dev secrets doesn’t contain anything too sensitive but to be one the safe side, I prefer not committing it. You can always share the public key with the devs on your team if needed.

Generate cryptographic keys for other environments (staging, prod etc)

Assuming you have a prod environment, generate the key for that environment:

APP_RUNTIME_ENV=prod php bin/console secrets:generate-keys

Create or update secrets

Use secrets:set to create or update a secret. For example, to add a DATABASE secret, run:

php bin/console secrets:set DATABASE_PASSWORD

To add or update a secret for a different environment, prefix the command with APP_RUNETIME_ENV=<name-of-environment>. For example:

APP_RUNTIME_ENV=prod php bin/console secrets:set DATABASE_PASSWORD

Reference secrets in config files

Secrets are referenced in the same way as environment variables. Ensure you don’t define both a secret and an environment variable with the same name because environment variables override secrets.

Assuming you stored a DATABASE_PASSWORD secret, you can reference it with:

# config/packages/doctrine.yaml
doctrine:
    dbal:
        password: '%env(DATABASE_PASSWORD)%'
        # ...
    # ...

Reveal existing secrets

Assuming you have the decryption key, use the secrets:reveal command to reveal a secret’s value:

php bin/console secrets:reveal DATABASE_PASSWORD

Remove secret

php bin/console secrets:remove DATABASE_PASSWORD

Override secrets locally

In development, you may have secrets that contain a sensible default value but which may need to be overridden sometimes. You can use the secrets:set --local command to do that:

php bin/console secrets:set DATABASE_PASSWORD --local

This will add an entry for the DATABASE_PASSWORD environment variable in .env.{env}.local as a standard environment variable. Because environment variables take precedence over secrets, the DATABASE_PASSWORD environment variable will override the value defined by the secret.

Setting secrets in the test environment

For your test environment, you’re better off storing all needed secrets in .env.test.

Deploying secrets to production

You can deploy your production decryption key in two ways:

  1. Copy the decryption key file (config/secrets/prod/prod.decrypt.private.php) to your server.
  2. Define a SYMFONY_DECRYPTION_SECRET environment variable that has the base64 encoded value of the production decryption key.

Links

Tagged: Symfony