Laravel – Key size not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported.

The new versions of PHP 5.6+ are now enforcing proper key sizes. If your Laravel APP_KEY is not using one of the supported character lengths, you will get the following error:

mcrypt_decrypt(): Key of size 5 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported.

There are 2 ways to fix this:

A) “Pad” the key to a valid size. This will preserve your existing encrypted data such as: any data that was saved with Crypt::encrypt() in the database, passwords saved with Hash::make() [note – there is conflicting information on if the key is used during password hashing and storage], and current sessions.

B) Or generate a new key and lose your previously encrypted data:

php artisan key:generate

Pad Laravel APP_KEY to Next Supported Length

To preserve your existing encrypted data, manually “pad” your existing key to the next valid size (16, 24, 32 characters). This is how invalid size keys were handled internally by the PHP mcrypt_decrypt() function before the change in PHP 5.6+…

Previously keys and IVs were padded with ‘\0′ bytes to the next valid size.

Example:
If it is 10 characters, pad it to 16.
If it is 20 characters, pad it to 24.
If it is 25 characters, pad it to 32.

app.php

1. Open your Laravel configuration file:

laravel\config\app.php

2. Find line:

'key' => env('APP_KEY', 'SomeRandomString'),

The above line attempts to read the value of Laravel’s environmental variable APP_KEY (as defined in Laravel’s .env file), and if unable to do so, uses the quoted value.

3. Count the number of characters the key value is (without the quotes), and make it valid-sized by adding null bytes to the end. You will need to replace the quotes that surround the key value from single quotes to double quotes – so PHP interprets the null bytes correctly.

For example, if your key is “12345”, than it is 5 characters long, and it needs to be made 16 characters long like so:

"12345\0\0\0\0\0\0\0\0\0\0\0"

With the above app.php line like so:

'key' => env('APP_KEY', "12345\0\0\0\0\0\0\0\0\0\0\0"),

.env

The above key value is also stored in Laravel’s .env file (which itself usually acts as the primary source for APP_KEY).

1. Open your Laravel .env file:

laravel\.env

2. Find line:

APP_KEY=SomeRandomString

3. Update it to the padded value, surrounded by double quotes like so:

APP_KEY="12345\0\0\0\0\0\0\0\0\0\0\0"

For Key Sizes Larger Than 32

mcrypt_encrypt(): Size of key is too large for this algorithm.

If your key size is larger than 32 characters, truncate (from the end) the key length down to 32 characters (or 16 if that does not work).

Notes

As an alternative, you can use the PHP function str_pad to automatically do the above manual padding. For example, to pad a 17-23 character length key to 24:

str_pad($str, 24, "\0", STR_PAD_RIGHT);

Also the PHP function chr can be used to return the null byte instead of specifying it with special escape sequences:

chr(0)

Laravel uses PHPDotEnv (3rd-party library) to read the .env file and load the environmental variables. PHPDotEnv uses its own basic text/string format – and you cannot embed PHP code into the .env file. If you are unable to place the null-byte padded value into the .env file, you can comment out (#) the APP_KEY line so Laravel uses the default/fallback value from the app.php file.

The issue is referenced here: mcrypt_decrypt() throws error when PHP 5.6 is used if key is not 32 characters #6722

9 thoughts on “Laravel – Key size not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported.”

    1. I’m going to guess that the resulting key is:

      A) The first 32 characters of the original 44 character string. As it is possible that [previous versions of] Laravel’s code, or PHP’s mcrypt_encrypt() function, or the function’s dependencies/libraries, truncated a key that was too large down to the maximum key size. If 32 characters does not work, then try using only the first 16 characters.

      B) Is not really set / not used… As current mcrypt_encrypt() documentation suggests that the function would have returned FALSE (when given a 44 character key), and it is unknown what your Laravel version would have done. Check your data to see if it is really encrypted.

      C) Is an empty 16 character string: "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"… As some type of an errant default case (possibly also a bug).

  1. mcrypt_encrypt(): Key of size 51 not supported…

    I get the solution with the next command inside project:

    php artisan key:generate

    1. For example –

      APP_KEY=base64:c2VjcmV0X2tleQ==

      Decode the base64 string “c2VjcmV0X2tleQ==” back to it’s ASCII form (which for this example decodes to “secret_key”). Then update APP_KEY…

      APP_KEY=secret_key

      And don’t forget to pad or truncate the resulting string.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>