From 632f0397ff7673608491af32fbb69be05bc4be6e Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Sat, 2 May 2026 23:57:10 +0200
Subject: [PATCH] Mention KEK requirement in production deployment guide

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 docs/guides/administration/deploying-to-production.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/guides/administration/deploying-to-production.md b/docs/guides/administration/deploying-to-production.md
index b16328b..12bd177 100644
--- a/docs/guides/administration/deploying-to-production.md
+++ b/docs/guides/administration/deploying-to-production.md
@@ -81,6 +81,13 @@ Manage two classes of secrets separately:
   Dependency-Track's runtime secret store. See
   [Configuring secret management](configuring-secret-management.md) for the supported backends.
 
+The database secret provider uses envelope encryption: each secret has its own data encryption key (DEK),
+and a key encryption key (KEK) protects the DEKs. By default, each instance generates a KEK keyset file
+on disk on first startup. All instances in the cluster must share the same KEK, and refuse to start when
+they detect a mismatch. Provision a keyset file once and mount it into
+every instance, or supply the KEK directly via environment variable. See
+[Configuring secret management](configuring-secret-management.md#key-management) for both approaches.
+
 ## Configure authentication
 
 Wire Dependency-Track to your identity provider. Local managed users are for evaluation only: