Skip to main content

Secret and Key Rotation

Ory Kratos needs secrets that are used for encrypting, decrypting, generating and validating signatures, and other cryptographic tasks.

These secrets must have high entropy (>= 256 bit). It is also a good idea to rotate the keys every now and then. Assuming you have the following secrets configured

"path/to/kratos/config.yml
secrets:
default:
- old-default-secret
cookie:
- old-cookie-secret
cipher:
- old-32-long-secret-key

and want to rotate these secrets, you would add the new secrets to the top of the list and keep the old secrets around. This allows the system to verify and decrypt things that have been signed/encrypted with the old secret, while generating new signatures and encrypting new things using the new secret:

"path/to/kratos/config.yml
secrets:
default:
- new-default-secret
- old-default-secret
cookie:
- new-cookie-secret
- old-cookie-secret
cipher:
- new-secret-key
- old-secret-key

The cipher secrets are use for now to encrypt and decrypt tokens from oidc authentication method.