Configuring ACP encryption keys

Instructions on configuring ACP encryption keys

ACP encrypts sensitive data, such as client secrets or identity provider credentials, and stores it as JWE in the database.


There are two ways to configure encryption keys in ACP.

Using flags


This way you can configure a single key only.

Use --secret-id to set the secret ID and --secret-key to set the key in ACP start command.

Using config


Follow this way if you need to rotate a key.

Remove the --secret-id and --secret-key flags and add the following code to your config:

  - id: "2"
    key: "FmIQrzqf7dT57SjVH3g52SEVx45WH9pE"
  - id: "1"
    key: "ExsrFU9usNyaUbLlIRZE8Zygw1Lq14nn"

Master key vs rotated key

The first key is a master key used for encryption. The other keys are the rotated keys and are used to decrypt data encrypted using the old master key.

Key rotation

To rotate the encryption key, add a new key to the list of secrets keys in config.

The new encryption key needs to be the first key on the list.


Make sure that all keys have unique IDs.