Instructions from the following issue: ueberauth/guardian#136

This is what I did to generate a password protected JWK file (which contains the generated key):

mix phoenix.gen.secret
touch .jwk_file

The first line just generates a secret I'm using as a password. And .jwk_file is the file to store the jwk in. You can name it whatever you want.

iex -S mix phoenix.server

iex(1)> jwk = JOSE.JWK.generate_key({:ec, :secp521r1})
iex(2)> password = "The Secret we just generated"
iex(3)> file = ".jwk_file"
iex(4)> JOSE.JWK.to_file(password, file, jwk)

Then in your config.exs

config :guardian, Guardian,
  allowed_algos: ["ES512"], # optional
   verify_module: Guardian.JWT,  # optional
   issuer: "MyApp",
   ttl: { 30, :days },
   verify_issuer: true, # optional
   secret_key: fn ->
     {jwe, jwk} = System.get_env("GUARDIAN_JWK_PASSPHRASE") |> JOSE.JWK.from_file(System.get_env("GUARDIAN_JWK_FILE"))
     jwk
   end,
   serializer: MyApp.GuardianSerializer

Of course you have to pass in your environment variables. So GUARDIAN_JWK_PASSPHRASE should be the password (secret generated earlier) and GUARDIAN_JWK_FILE should be '.jwk_file' in this example.

The pattern matching is used because JOSE.JWK.from_file/2 returns the jwk plus the standard jwe and we have to fish out the jwk. And we have to wrap it in an anonymous function because of the way the configuration is parsed (before everything else, so JOSE.JWK would not be available otherwise).