This guide explains how to upgrade the Doctrine Encrypt Bundle between versions. For a list of changes in each version, see CHANGELOG.md.
-
Back up configuration
Back upconfig/packages/nowo_doctrine_encrypt.yaml(or wherever you configure the bundle) before upgrading. -
Check the changelog
Review CHANGELOG.md for the target version to see new features, changes, and breaking changes. -
Update the package
Run:composer update nowo-tech/doctrine-encrypt-bundle
-
Apply configuration and code changes
If the new version introduces or changes config options or namespaces, update your config and PHP code (see version-specific sections below). -
Clear cache
php bin/console cache:clear
-
Test
Verify that encrypted entities are still read/written correctly and that console commands work.
No breaking changes. Patch release (Spec Kit maintainer tooling, Twig |decrypt auto-escape fix, MysqlAes PHPDoc deprecation, composer.lock sync).
If your Twig templates relied on the |decrypt filter not being escaped (previous incorrect isSafe: ['html'] marking), apply |raw only when the decrypted content is trusted HTML:
{# Before (implicit unescaped output — incorrect) #}
{{ value|decrypt }}
{# After — default: escaped (recommended) #}
{{ value|decrypt }}
{# Only if decrypted HTML is trusted #}
{{ value|decrypt|raw }}Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Patch release only (functional test / CI fix for PHP 8.4 + Symfony 8). No changes required in your application.
composer update nowo-tech/doctrine-encrypt-bundleNo breaking changes. Patch release only (composer.lock sync + CI matrix fix). Recommended if you installed 2.2.0 and hit CI/composer validate issues, or want the Symfony 8.0 / 8.1 CI fix from upstream.
composer update nowo-tech/doctrine-encrypt-bundleOr pin explicitly:
composer require nowo-tech/doctrine-encrypt-bundle:^2.2.1Breaking changes for legacy environments:
-
PHP 8.2+ is now required (
require.phpwas>=8.1). Upgrade PHP before updating the bundle. -
Symfony 6.x is no longer declared in
composer.json(symfony/*are ^7.0 || ^8.0 only). If you still run Symfony 6 or PHP 8.1, pin the previous line:composer require nowo-tech/doctrine-encrypt-bundle:">=2.0,<2.2"Or upgrade the application to PHP 8.2+ and Symfony 7.4+ or 8.x, then:
composer require nowo-tech/doctrine-encrypt-bundle:^2.2
No configuration or encryptor changes are required when you already run PHP 8.2+ and Symfony 7.4+ / 8.x.
No breaking changes for existing applications using Halite or Defuse.
To use the new MysqlAes encryptor (compatible with MySQL AES_ENCRYPT / AES_DECRYPT):
# config/packages/nowo_doctrine_encrypt.yaml
nowo_doctrine_encrypt:
configs:
mysql_aes:
encryptor_class: MysqlAes
secret_key_env_var: '%env(MYSQL_AES_KEY)%'Generate a passphrase:
php bin/console doctrine:encrypt:generate-secret-key mysql_aesUse on entity properties: #[Encrypted('mysql_aes')]. For native SQL on BLOB columns (no <ENC> marker), see MYSQL_AES.md.
Requires PHP ext-openssl (typically enabled). Prefer Halite/Defuse for new application-level encryption unless you must interoperate with MySQL functions.
Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. This release fixes the Symfony 7.1+ deprecation (Extension class) and corrects COMMANDS.md (batchSize default). No changes required in your application.
Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. This release applies code style (PHP-CS-Fixer), internal refactors, and demo/CI updates; no changes required in your application.
Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. This release fixes unit tests for Symfony Console 7.0/8.0 compatibility (RotateKeysCommandTest); no changes required in your application.
Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. New features:
- doctrine:encrypt:status now lists each encrypted property and its config per entity, and shows configured encryptor configs at the end.
- doctrine:encrypt:rotate-keys runs the full key rotation (optional backup, decrypt, change keys, re-encrypt) with step-by-step confirmation; use
--backupand/or--no-interactionas needed. - doctrine:encrypt:generate-secret-key accepts
--forceto overwrite existing key files without asking. - doctrine:decrypt:database and doctrine:encrypt:database accept
--forceto skip the confirmation prompt. - Config: Optional
nowo_doctrine_encrypt.batch_size(default5) for encrypt/decrypt database batch size. FrankenPHP is supported (see INSTALLATION.md); no config changes needed.
Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearIf you run the test suite from the bundle source, ensure your autoload and PHPUnit config use the tests/ directory (lowercase); the package already ships with this layout.
No breaking changes. Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Update as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearNo breaking changes. Update and run tests as usual:
composer update nowo-tech/doctrine-encrypt-bundle
php bin/console cache:clearBreaking change: Symfony 6.x is no longer supported. The bundle requires Symfony ^7.0 || ^8.0.
- If your application runs on Symfony 6.x, either:
- Stay on
nowo-tech/doctrine-encrypt-bundle^1.0 (e.g.composer require nowo-tech/doctrine-encrypt-bundle:^1.0), or - Upgrade your application to Symfony 7 or 8, then upgrade the bundle to ^2.0.
- Stay on
- If you are already on Symfony 7 or 8, you can upgrade to 2.0 with:
No configuration or code changes are required; only the dropped Symfony 6 support and the removal of the Symfony 6 demo affect this release.
composer update nowo-tech/doctrine-encrypt-bundle
This is the first release of nowo-tech/doctrine-encrypt-bundle. If you are migrating from ambta/doctrine-encrypt-bundle or hec-franco/doctrine-encrypt-bundle, see the section below.
If you are already on this package (e.g. from dev), ensure you use the new config root nowo_doctrine_encrypt and register NowoDoctrineEncryptBundle. Use default_config and configs (one entry for a single encryptor, or several for multiple encryptors); see CONFIGURATION.md.
Breaking changes when moving to nowo-tech/doctrine-encrypt-bundle:
-
Package name
- Old:
hec-franco/doctrine-encrypt-bundleorambta/doctrine-encrypt-bundle - New:
nowo-tech/doctrine-encrypt-bundle
- Old:
-
Namespace
- Old:
Ambta\DoctrineEncryptBundle - New:
Nowo\DoctrineEncryptBundle
Update anyusestatements and references (e.g. in entities using theEncryptedattribute/annotation:Nowo\DoctrineEncryptBundle\Configuration\Encrypted).
- Old:
-
Bundle registration
- Old:
Ambta\DoctrineEncryptBundle\AmbtaDoctrineEncryptBundle::class - New:
Nowo\DoctrineEncryptBundle\NowoDoctrineEncryptBundle::class
Updateconfig/bundles.phpaccordingly.
- Old:
-
Configuration key
- Old:
ambta_doctrine_encrypt - New:
nowo_doctrine_encrypt
Rename your config file fromambta_doctrine_encrypt.yamltonowo_doctrine_encrypt.yamland change the root key inside the file:
# Before ambta_doctrine_encrypt: encryptor_class: Halite secret_directory_path: '%kernel.project_dir%' # After (single encryptor = one config named "default") nowo_doctrine_encrypt: default_config: default configs: default: encryptor_class: Halite secret_directory_path: '%kernel.project_dir%'
- Old:
-
Secret key files
With the single config above, the key file is.Halite.default.key. Each config uses.{Encryptor}.{alias}.key(e.g..Halite.personal_data.key). See CONFIGURATION.md.
Optional: You can add more entries under configs and set default_config to choose which one is used for #[Encrypted] without an alias.
After making these changes, run your test suite and the bundle’s console commands to ensure everything works.