How can I secure user data in my Laravel CRUD app without admin access?

A good approach I’ve found is to encrypt user data with keys tied to their passwords, ensuring that only they can decrypt their information—admins won’t have access. Laravel doesn’t handle this right out of the box, so it would need to be implemented in the frontend, or you could go with user-generated keys. It does require some extra setup, but it maintains strong data privacy without too much hassle for users.

You might want to set specific columns as hidden in your models. That way, they aren’t easily accessible to anyone, including admins. Ideally, this doesn't have to be a big lift for your app but would help in keeping sensitive data more secure.

Utilizing Linux permissions, users, and groups could also be a solution. I’m managing things as a non-root user, but I also appreciate the idea of having a complete zero-access protocol that can’t be bypassed, even by root access. However, it sounds like you're wary of making users handle complex key management like PGP, which is a valid concern!

One option to ensure you can't access user data is to have it encrypted using a key that the user holds personally. However, this might require substantial changes to your application since the server won’t be able to see the actual data, putting more work on the client side. Plus, if a user loses their key, there's no way for them to recover their data. It's definitely a trade-off to consider!