There are two types of key rotation:
- Rotation of JSON Web Token Signing Keys
- Rotation of HMAC Token Signing and Database and Cookie Encryption Keys
JSON Web Token Signing Key rotation is simple with ORY Hydra. You can rotate OpenID Connect ID Token and OAuth 2.0 Access Tokens, when using the JSON Web Token strategy, keys with one simple command.
ORY Hydra takes the latest key from the key store to sign JSON Web Tokens. All
public keys will be shown at
This will only work when using the JWT access token strategy. Otherwise, this will have no effect.
Rotating database encryption keys is done by prepending the new encryption key to the respective configuration value. Assuming configuration
one would add the new keys as follows
It is very important that the new key is the first entry in the list as only the first key is used for encryption while all keys from the list are used for decryption. Please note that existing data will not be automatically re-encrypted using the new key. Only new data will be signed and encrypted using the new key. It is therefore imperative that the old key is added to the list, unless you want to also invalidate all data that was signed or encrypted using the old key.