Add note on encryption

docs/deployments/vercel.md

@@ -28,7 +28,9 @@ This guide assumes you've already setup your account on [quirrel.dev](https://qu
 
 3. In the [Vercel Dashboard](https://vercel.com), paste it into the `QUIRREL_TOKEN` environment variable.
 
-<img src={require("./vercel-env-vars.png").default} style={{ maxWidth: "500px"}}/>
+<img src={require("./vercel-env-vars.png").default} style={{ maxWidth: "500px" }}/>
+
+4. [Set up Encryption](/encryption)
 
 <br/>
 <br/>

docs/encryption.md

@@ -0,0 +1,11 @@
+---
+title: Configuring Encryption
+---
+
+Production deployments are required to use end-to-end-encryption.
+
+1. Generate your 32-character-long secret.
+    `openssl rand -hex 16` or 
+    [random.org](https://www.random.org/strings/?num=2&len=16&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new) works great.
+1. Set the `QUIRREL_ENCRYPTION_SECRET` environment variable to your secret.
+

docs/faq.md

@@ -0,0 +1,15 @@
+---
+title: FAQ
+---
+
+## My encryption secret has been leaked. What now?
+
+First of all: Don't panic. The leaked encryption key allows attackers to read the payload of pending jobs, but only if they *also* gained access to your Quirrel API deployment ([managed](https://quirrel.dev) or self-hosted).
+
+Replacing your leaked secret with a new one, do the following:
+
+1. Set the `QUIRREL_OLD_SECRETS` environment variable to `["<your-leaked-secret>"]`. This will allow old jobs to be decrypted.
+2. Set `QUIRREL_ENCRYPTION_SECRET` to your new secret.
+3. Once all jobs that were encrypted with the old secret executed, remove `QUIRREL_OLD_SECRETS`.
+
+If you're using the managed Quirrel deployment, feel free to [reach out](mailto:info@quirrel.dev) to get further assistance.

sidebars.js

@@ -3,11 +3,13 @@ module.exports = {
     "getting-started",
     "development-ui",
     "api-reference/next",
+    "encryption",
     {
       type: "category",
       label: "Deployment",
       collapsed: false,
       items: ["deployments/vercel"],
     },
+    "faq",
   ],
 };