Configuring ACP encryption keys
Instructions on configuring ACP encryption keys
ACP encrypts sensitive data, such as client secrets or identity provider credentials, and stores it as JWE in the database.
Configuration
There are two ways to configure encryption keys in ACP.
Using flags
Note
This way you can configure a single key only.
Use --secret-id
to set the secret ID and --secret-key
to set the key in ACP start command.
Using config
Note
Follow this way if you need to rotate a key.
Remove the --secret-id
and --secret-key
flags and add the following code to your config:
secrets:
- id: "2"
key: "FmIQrzqf7dT57SjVH3g52SEVx45WH9pE"
- id: "1"
key: "ExsrFU9usNyaUbLlIRZE8Zygw1Lq14nn"
Master key vs rotated key
The first key is a master key used for encryption. The other keys are the rotated keys and are used to decrypt data encrypted using the old master key.
Key rotation
To rotate the encryption key, add a new key to the list of secrets keys in config.
The new encryption key needs to be the first key on the list.
Note
Make sure that all keys have unique IDs.