From 6db309f796f915285c0b3274be8aff06cbdb8fe5 Mon Sep 17 00:00:00 2001
From: "Kai A. Hiller" <git@kaialexhiller.de>
Date: Mon, 2 Jun 2025 18:08:39 +0200
Subject: [PATCH] Document secrets.encryption_file

Signed-off-by: Kai A. Hiller <git@kaialexhiller.de>
---
 docs/reference/configuration.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index 2303e889e..389cd5a7d 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -232,6 +232,21 @@ secrets:
         -----END EC PRIVATE KEY-----
 ```
 
+### `secrets.encryption{_file}`
+
+The encryption secret used for encrypting cookies and database fields. It takes
+the form of a 32-bytes-long hex-encoded string. To provide the encryption secret
+via file, set `secrets.encryption_file` to the file path; alternatively use
+`secrets.encryption` for declaring the secret inline. The options
+`secrets.encryption_file` and `secrets.encryption` are mutually exclusive.
+
+If given via file, the encyption secret is only read at application startup.
+The secret is not updated when the content of the file changes.
+
+> ⚠️ **Warning** – Do not change the encryption secret after the initial start.
+> Changing the encryption secret afterwards will lead to a loss of all
+> information stored in the database.
+
 ### `secrets.keys`
 
 The service can use a number of key types for signing.