@@ -750,6 +750,8 @@ And add it to your :doc:`secret store </configuration/secrets>` as
750750 decorates : cache.default_marshaller
751751 arguments :
752752 - ['%env(base64:CACHE_DECRYPTION_KEY)%']
753+ # use multiple keys in order to rotate them
754+ # - ['%env(base64:CACHE_DECRYPTION_KEY)%', '%env(base64:OLD_CACHE_DECRYPTION_KEY)%']
753755 - ' @Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'
754756
755757code-block :: xml
@@ -769,6 +771,8 @@ And add it to your :doc:`secret store </configuration/secrets>` as
769771 <argument >redis://localhost</argument >
770772 <argument type =" collection"
771773 <argument >env(base64:CACHE_DECRYPTION_KEY)</argument >
774+ <!-- use multiple keys in order to rotate them -->
775+ <!-- argument>env(base64:OLD_CACHE_DECRYPTION_KEY)</argument -->
772776 </argument >
773777 <argument type =" service" id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner"
774778 </service >
@@ -783,60 +787,13 @@ And add it to your :doc:`secret store </configuration/secrets>` as
783787 $container->register(SodiumMarshaller::class)
784788 ->decorate('cache.default_marshaller')
785789 ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)'])
790+ // use multiple keys in order to rotate them
791+ // ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
786792 ->addArgument(service('@Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'));
787793
788-
789- ~~~~~~~~~~~~~~~~~~~~~~~~~~~
790-
791794
792795add the old encryption key to the service arguments. The first key will be used
793796for reading and writing, and the additional key(s) will only be used for reading.
794797
795- .. configuration-block ::
796-
797- .. code-block :: yaml
798-
799- # config/packages/cache.yaml
800- services :
801- Symfony\Component\Cache\Marshaller\SodiumMarshaller :
802- decorates : cache.default_marshaller
803- arguments :
804- - ['%env(base64:CACHE_DECRYPTION_KEY)%', '%env(base64:OLD_CACHE_DECRYPTION_KEY)%']
805- - ' @Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'
806-
807- code-block :: xml
808-
809- <!-- config/packages/cache.xml -->
810- <?xml version =" 1.0" encoding =" UTF-8"
811- <container xmlns =" http://symfony.com/schema/dic/services"
812- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
813- xmlns : framework =" http://symfony.com/schema/dic/symfony"
814- xsi : schemaLocation =" http://symfony.com/schema/dic/services
815- https://symfony.com/schema/dic/services/services-1.0.xsd
816- http://symfony.com/schema/dic/symfony
817- https://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
818-
819- <services >
820- <service id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller" decorates =" cache.default_marshaller"
821- <argument >redis://localhost</argument >
822- <argument type =" collection"
823- <argument >env(base64:CACHE_DECRYPTION_KEY)</argument >
824- <argument >env(base64:OLD_CACHE_DECRYPTION_KEY)</argument >
825- </argument >
826- <argument type =" service" id =" Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner"
827- </service >
828- </services >
829- </container >
830-
831- code-block :: php
832-
833- // config/packages/cache.php
834- use Symfony\Component\Cache\Marshaller\SodiumMarshaller;
835-
836- $container->register(SodiumMarshaller::class)
837- ->decorate('cache.default_marshaller')
838- ->addArgument(['env(base64:CACHE_DECRYPTION_KEY)', 'env(base64:OLD_CACHE_DECRYPTION_KEY)'])
839- ->addArgument(service('@Symfony\Component\Cache\Marshaller\SodiumMarshaller.inner'));
840-
841798Once all cache items encrypted with the old key have expired, you can remove
842799`OLD_CACHE_DECRYPTION_KEY ` completely.
0 commit comments