-
-
Notifications
You must be signed in to change notification settings - Fork 959
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
35 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
id: secret-key-rotation | ||
title: Secret and Key Rotation | ||
--- | ||
|
||
ORY Kratos needs secrets that are used for encrypting, decrypting, generating and validating signatures, and other | ||
cryptographic tasks. | ||
|
||
These secrets must have high entropy (>= 256 bit). It is also a good idea to rotate the keys every now and then. | ||
Assuming you have the following secrets configured | ||
|
||
```yaml title="path/to/kratos/config.yml | ||
secrets: | ||
default: | ||
- old-default-secret | ||
cookie: | ||
- old-cookie-secret | ||
``` | ||
and want to rotate these secrets, you would add the new secrets to the top of the list and keep the old secrets | ||
around. This allows the system to verify and decrypt things that have been signed/encrypted with the old secret, | ||
while generating new signatures and encrypting new things using the new secret: | ||
```yaml title="path/to/kratos/config.yml | ||
secrets: | ||
default: | ||
- new-default-secret | ||
- old-default-secret | ||
cookie: | ||
- new-cookie-secret | ||
- old-cookie-secret | ||
``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters