Skip to main content

Selecting cipher algorithm

Currently, the Ory Identities (Kratos) supports encryption and decryption for OIDC tokens only. You can choose one of these algorithms:

Noop

Noop is the default cipher. It doesn't use an algorithm, which means that you don't need to set secrets.

path/to/kratos/config.yml
ciphers:
  algorithm: noop

XChaCha20 Poly1305

Apply the following configuration to use XChaCha20 Poly1305:

path/to/kratos/config.yml
secrets:
  cipher:
    - 32-CHARACTER-LONG-STRING-SECRET
ciphers:
  algorithm: xchacha20-poly1305

You must set up secrets key rotation. Secrets must be 32-character-long strings.

AES

Apply the following configuration to use AES:

path/to/kratos/config.yml
secrets:
  cipher:
    - 32-CHARACTER-LONG-STRING-SECRET
ciphers:
  algorithm: aes

You must set up secrets key rotation. Secrets must be 32-character-long strings.