From 9d1f3e95f902485290e1d3bd5afacc2cd22e31b8 Mon Sep 17 00:00:00 2001
From: Simon Knott <info@simonknott.de>
Date: Fri, 9 Oct 2020 11:34:18 +0200
Subject: [PATCH] Add note on encryption

---
 docs/deployments/vercel.md |  4 +++-
 docs/encryption.md         | 11 +++++++++++
 docs/faq.md                | 15 +++++++++++++++
 sidebars.js                |  2 ++
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 docs/encryption.md
 create mode 100644 docs/faq.md

diff --git a/docs/deployments/vercel.md b/docs/deployments/vercel.md
index 771c2c0..8286dbb 100644
--- a/docs/deployments/vercel.md
+++ b/docs/deployments/vercel.md
@@ -28,7 +28,9 @@ This guide assumes you've already setup your account on [quirrel.dev](https://qu
 
 3. In the [Vercel Dashboard](https://vercel.com), paste it into the `QUIRREL_TOKEN` environment variable.
 
-<img src={require("./vercel-env-vars.png").default} style={{ maxWidth: "500px"}}/>
+<img src={require("./vercel-env-vars.png").default} style={{ maxWidth: "500px" }}/>
+
+4. [Set up Encryption](/encryption)
 
 <br/>
 <br/>
diff --git a/docs/encryption.md b/docs/encryption.md
new file mode 100644
index 0000000..7e9807f
--- /dev/null
+++ b/docs/encryption.md
@@ -0,0 +1,11 @@
+---
+title: Configuring Encryption
+---
+
+Production deployments are required to use end-to-end-encryption.
+
+1. Generate your 32-character-long secret.
+    `openssl rand -hex 16` or 
+    [random.org](https://www.random.org/strings/?num=2&len=16&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new) works great.
+1. Set the `QUIRREL_ENCRYPTION_SECRET` environment variable to your secret.
+
diff --git a/docs/faq.md b/docs/faq.md
new file mode 100644
index 0000000..c71c2fe
--- /dev/null
+++ b/docs/faq.md
@@ -0,0 +1,15 @@
+---
+title: FAQ
+---
+
+## My encryption secret has been leaked. What now?
+
+First of all: Don't panic. The leaked encryption key allows attackers to read the payload of pending jobs, but only if they *also* gained access to your Quirrel API deployment ([managed](https://quirrel.dev) or self-hosted).
+
+Replacing your leaked secret with a new one, do the following:
+
+1. Set the `QUIRREL_OLD_SECRETS` environment variable to `["<your-leaked-secret>"]`. This will allow old jobs to be decrypted.
+2. Set `QUIRREL_ENCRYPTION_SECRET` to your new secret.
+3. Once all jobs that were encrypted with the old secret executed, remove `QUIRREL_OLD_SECRETS`.
+
+If you're using the managed Quirrel deployment, feel free to [reach out](mailto:info@quirrel.dev) to get further assistance.
\ No newline at end of file
diff --git a/sidebars.js b/sidebars.js
index 90ac6c1..53ee5f8 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -3,11 +3,13 @@ module.exports = {
     "getting-started",
     "development-ui",
     "api-reference/next",
+    "encryption",
     {
       type: "category",
       label: "Deployment",
       collapsed: false,
       items: ["deployments/vercel"],
     },
+    "faq",
   ],
 };