Encryption in Transit (TLS)
All traffic must be served over HTTPS. On a typical VPS setup with Nginx:
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Use certbot to provision and auto-renew Let's Encrypt certificates. Redirect all HTTP to HTTPS with a 301.
Encryption at Rest
Database: Enable MySQL encryption for tables containing PII:
ALTER TABLE subscribers ENCRYPTION='Y';
ALTER TABLE contacts ENCRYPTION='Y';
This requires MySQL 5.7.11+ with InnoDB encryption enabled in my.cnf.
File storage: For uploaded attachments or exports, use encrypted volumes. On AWS, use EBS volumes with KMS encryption. On bare metal, use LUKS.
Application-Level Encryption
For highly sensitive fields (e.g., GDPR consent records), use Laravel's encrypt() helper:
$subscriber->consent_text = encrypt($consentText);
// Retrieve:
$plain = decrypt($subscriber->consent_text);
Store the APP_KEY securely (not in your repo) — it's the master key.
Backups
Encrypt database backups before storage:
mysqldump acelle_db | gzip | gpg --symmetric --cipher-algo AES256 -o backup.sql.gz.gpg
Rotate encryption keys annually and document the rotation procedure.