APP_KEY is used for encryptionand not hashing. Every Data you encrypt in your application is using APP_KEY behind the scene. Do remember that encrypteddata can be decryptedbut hashed data cannot be decrypted.

APP_KEY 用于加密而不是散列。您在应用程序中加密的每个数据都在后台使用 APP_KEY。请记住，加密数据可以解密，但散列数据无法解密。

A common misconception of APP_KEY is that it is related to Password hashing, the truth is it's not. and here is the proof.

APP_KEY 的一个常见误解是它与密码哈希有关，但事实并非如此。这是证据。

taylor's tweet

泰勒的推特

You can see in the above tweet that APP_KEY has nothing to do with HASHEDdata

在上面的推文中可以看到APP_KEY与HASHED数据无关

The comment heresays it's used in the ecrypter. I found it hereand hereused with openssl_encryptand openssl_decrypt. Without that key you cannot decrypt anything encrypted with those two functions, like sessions cookies stored on the user computer. If they weren't encrypt anyone with access to them could log in to the application as you.

这里的评论说它在 ecrypter 中使用。我在这里和这里发现它与openssl_encrypt和openssl_decrypt 一起使用。没有该密钥，您将无法解密使用这两个函数加密的任何内容，例如存储在用户计算机上的会话 cookie。如果他们没有加密，任何有权访问他们的人都可以像您一样登录应用程序。

Where it is used:

在哪里使用：

Every laravel component using encyption (not hashing)in your application uses APP_KEY. (Sessions, CSRF tokens and Cookies).

在您的应用程序中使用加密（而不是散列）的每个 Laravel 组件都使用 APP_KEY。（会话、CSRF 令牌和 Cookie）。

Where it is not used:

不使用的地方：

Where larvel using hashing, like Passwords, password_reset_token.

larvel 使用hashing 的地方，比如Passwords, password_reset_token。

So, changing APP_KEY doesn't make any problems for your passwords or password_reset tokens.

因此，更改 APP_KEY 不会对您的密码或 password_reset 令牌造成任何问题。

How it works:

这个怎么运作：

APP_KEY is a private string (encryption_key)in your application that nobody knows about. So, if only your application knows the key, only your application can decrypt data that is encrypted by this key. This is how its security works.

APP_KEY 是您的应用程序中没有人知道的私有字符串(encryption_key)。因此，如果只有您的应用程序知道该密钥，则只有您的应用程序才能解密由该密钥加密的数据。这就是其安全性的工作原理。

** For more information about how it functionally works you can simply check this file in your project: EncryptionServiceProvider.php

** 有关其功能如何工作的更多信息，您只需在您的项目中检查此文件：EncryptionServiceProvider.php

Some best practices are:

一些最佳实践是：

• Only store it in .env file. (Do not store it in config/app.php or any GIT tracked files)
• Change it only when these situations appears:
  • You find out that your key may be leaked. (So others can decrypt your data)
  • You want to logout all users (users managed by session not api tokens)
  • You want to invalidate cookies.

• 仅将其存储在 .env 文件中。（不要将其存储在 config/app.php 或任何 GIT 跟踪文件中）
• 仅在出现以下情况时才更改它：
  • 您发现您的密钥可能被泄露。（所以其他人可以解密您的数据）
  • 您想注销所有用户（由会话管理的用户而不是 api 令牌）
  • 您想让 cookie 失效。

Actually Application Key is used for all the encrypted data in laravel.If the application key is not configured in .env, your all sessions and other encrypted data will not be secure!

实际上 Application Key 是用于 Laravel 中的.env所有加密数据。如果没有在 .

Fore more laravel docssearch for application key

更多laravel 文档搜索应用程序密钥

App Key is used for all encrypted data, like sessions,Password, remember token etc. passwords saved with Hash::make() will no longer be valid after create app key:generate.

App Key 用于所有加密数据，如会话、密码、记住令牌等。使用 Hash::make() 保存的密码在创建 app key:generate 后将不再有效。

you can be get little some idea from here link1and link2

你可以从这里得到一点点想法link1和link2

If you look at laravel core, there is an Encryptor class (namespace Illuminate\Encryption) which is using app_key. And there is a method which is

如果您查看 laravel 核心，则有一个使用 app_key 的 Encryptor 类（命名空间 Illuminate\Encryption）。并且有一种方法是

/**
 * Encrypt the given value.
 *
 * @param  mixed  $value
 * @param  bool  $serialize
 * @return string
 *
 * @throws \Illuminate\Contracts\Encryption\EncryptException
 */
public function encrypt($value, $serialize = true)
{
    $iv = random_bytes(openssl_cipher_iv_length($this->cipher));

    // First we will encrypt the value using OpenSSL. After this is encrypted we
    // will proceed to calculating a MAC for the encrypted value so that this
    // value can be verified later as not having been changed by the users.
    $value = \openssl_encrypt(
        $serialize ? serialize($value) : $value,
        $this->cipher, $this->key, 0, $iv
    );

    if ($value === false) {
        throw new EncryptException('Could not encrypt the data.');
    }

    // Once we get the encrypted value we'll go ahead and base64_encode the input
    // vector and create the MAC for the encrypted value so we can then verify
    // its authenticity. Then, we'll JSON the data into the "payload" array.
    $mac = $this->hash($iv = base64_encode($iv), $value);

    $json = json_encode(compact('iv', 'value', 'mac'));

    if (json_last_error() !== JSON_ERROR_NONE) {
        throw new EncryptException('Could not encrypt the data.');
    }

    return base64_encode($json);
}

And this method is used in 2 places for session and cookies. Here is the methods

并且此方法用于会话和 cookie 的 2 个地方。这里是方法

This is for the session

这是会议

/**
 * Prepare the serialized session data for storage.
 *
 * @param  string  $data
 * @return string
 */
protected function prepareForStorage($data)
{
    return $this->encrypter->encrypt($data);
}

And this is for the Cookies

这是给饼干的

/**
 * Encrypt the cookies on an outgoing response.
 *
 * @param  \Symfony\Component\HttpFoundation\Response  $response
 * @return \Symfony\Component\HttpFoundation\Response
 */
protected function encrypt(Response $response)
{
    foreach ($response->headers->getCookies() as $cookie) {
        if ($this->isDisabled($cookie->getName())) {
            continue;
        }

        $response->headers->setCookie($this->duplicate(
            $cookie, $this->encrypter->encrypt($cookie->getValue(), static::serialized($cookie->getName()))
        ));
    }

    return $response;
}

Of course there are also other packages using their own Crypto methods such as Swift Mailer in the vendor folder.

当然也有其他包使用自己的加密方法，例如供应商文件夹中的 Swift Mailer。