Personal data encryption implementation for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
Personal data encryption implementation for website
Complex
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Implementing personal data encryption on a website

Personal data encryption in the database is a mandatory element of protection when handling sensitive information. Even if the database is compromised, the attacker gets encrypted data useless without keys.

What and how to encrypt

Data requiring encryption:

  • INN, SNILS, passport series/number
  • Medical data, diagnoses
  • Financial data, card numbers
  • Biometrics

Data that should only be hashed (irreversible):

  • Passwords → bcrypt, Argon2id
  • Secret tokens, API keys

Data requiring searchability:

  • Requires deterministic encryption or tokenization

Encryption algorithms

AES-256-GCM — symmetric encryption with authentication. Standard for data at rest encryption.

RSA-OAEP — asymmetric. Used for encrypting symmetric keys.

ChaCha20-Poly1305 — AES alternative on platforms without hardware AES acceleration.

Application-level encryption (Laravel)

class EncryptedCast implements CastsAttributes
{
    public function get($model, string $key, $value, array $attributes): ?string
    {
        if (is_null($value)) return null;
        try {
            return Crypt::decryptString($value);
        } catch (DecryptException) {
            return null;
        }
    }

    public function set($model, string $key, $value, array $attributes): ?string
    {
        if (is_null($value)) return null;
        return Crypt::encryptString($value);
    }
}

class Patient extends Model
{
    protected $casts = [
        'passport_number' => EncryptedCast::class,
        'medical_notes'   => EncryptedCast::class,
        'snils'           => EncryptedCast::class,
    ];
}

$patient->passport_number = '4510 123456';
$decrypted = $patient->passport_number;

Key management

HashiCorp Vault:

$vault = new Vault([
    'address' => 'https://vault.internal:8200',
    'token'   => env('VAULT_TOKEN'),
]);

$keyData = $vault->read('secret/data/app-encryption-key');
$encryptionKey = $keyData['data']['key'];

AWS KMS:

$kms = new KmsClient(['region' => 'eu-west-1']);

$result = $kms->encrypt([
    'KeyId'     => 'arn:aws:kms:eu-west-1:123456:key/abc-123',
    'Plaintext' => $sensitiveData,
]);

$encryptedData = base64_encode($result['CiphertextBlob']);

Envelope Encryption — best practice: data encrypted with Data Encryption Key (DEK), DEK encrypted with Key Encryption Key (KEK), KEK stored in KMS/Vault.

Deterministic encryption for search

Regular AES-GCM generates different ciphertext for same value. Searching encrypted field is impossible. Solutions:

Variant 1: Hash for search + encryption for storage:

class PersonalDataRepository
{
    public function findByPassport(string $passport): ?Patient
    {
        $hash = hash_hmac('sha256', $passport, config('app.search_key'));
        return Patient::where('passport_hash', $hash)->first();
    }

    public function store(string $passport): void
    {
        Patient::create([
            'passport_data' => Crypt::encryptString($passport),
            'passport_hash' => hash_hmac('sha256', $passport, config('app.search_key')),
        ]);
    }
}

Variant 2: PostgreSQL pgcrypto:

INSERT INTO patients (passport)
VALUES (pgp_sym_encrypt('4510 123456', current_setting('app.encryption_key')));

SELECT pgp_sym_decrypt(passport::bytea, current_setting('app.encryption_key'))
FROM patients WHERE id = 1;

Key rotation

class RotateEncryptionKeyCommand extends Command
{
    public function handle(): void
    {
        $oldKey = config('app.old_encryption_key');
        $newKey = config('app.key');

        Patient::chunk(100, function ($patients) use ($oldKey, $newKey) {
            foreach ($patients as $patient) {
                $decrypted = Crypt::decryptString($patient->getRawOriginal('passport_number'));
                $patient->updateQuietly([
                    'passport_number' => Crypt::encryptString($decrypted),
                ]);
            }
        });
    }
}

File encryption

class EncryptedFileStorage
{
    public function store(UploadedFile $file): string
    {
        $content = file_get_contents($file->getPathname());
        $encrypted = Crypt::encrypt($content);

        $path = 'encrypted/' . Str::uuid() . '.enc';
        Storage::put($path, $encrypted);

        return $path;
    }

    public function retrieve(string $path): string
    {
        $encrypted = Storage::get($path);
        return Crypt::decrypt($encrypted);
    }
}

Implementation Timeline

  • Encryption on model level (Cast) for main fields: 2–3 days
  • Vault/KMS integration + envelope encryption: 5–7 days
  • Deterministic encryption + search: +3 days
  • Key rotation + access audit: +2–3 days