Skip to main content

Selecting cipher algorithm

Currently, the Ory Identity Service (Kratos) supports encryption and decryption for OIDC tokens only. You can choose one of these algorithms:

Noop

Noop is the default cipher. It doesn't use an algorithm, which means that you don't need to set secrets.

path/to/kratos/config.yml
ciphers:
algorithm: noop

XChaCha20 Poly1305

Apply the following configuration to use XChaCha20 Poly1305:

path/to/kratos/config.yml
secrets:
cipher:
- 32-CHARACTER-LONG-STRING-SECRET
ciphers:
algorithm: xchacha20-poly1305

You must set up secrets key rotation. Secrets must be 32-character-long strings.

AES

Apply the following configuration to use AES:

path/to/kratos/config.yml
secrets:
cipher:
- 32-CHARACTER-LONG-STRING-SECRET
ciphers:
algorithm: aes

You must set up secrets key rotation. Secrets must be 32-character-long strings.