diff --git a/.gpg-keys/README.md b/.gpg-keys/README.md new file mode 100644 index 0000000..89588ab --- /dev/null +++ b/.gpg-keys/README.md @@ -0,0 +1,47 @@ +# Initial set-up + +On a new laptop, generate new key pair: +``` +gpg --generate-key +``` + +Find the new key and note the fingerprint: +``` +gpg --list-keys + +[keyboxd] +--------- +pub rsa3072 2024-05-30 [SC] [expires: 2031-05-29] + 4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 +uid [ unknown] Greg Matoga (Test Key) +sub rsa3072 2024-05-30 [E] [expires: 2031-05-29] +``` + +Export the public part and place in this directory: +``` +export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 +gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc +``` + +Ensure all public keys are imported: +``` +for key in .gpg-keys/*.asc; do + gpg --import "$key" +done +``` + +Now, in order to reencode the vault with new key: +``` +sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json +``` + +It should add the fingerprint to the `.sops.yaml`: + +```yaml +creation_rules: + - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 +``` + +This will reencode all values with new master key and put public keys into the file. For other +options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`). + diff --git a/.sops.yaml b/.sops.yaml index ac61d45..1963807 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,3 +1,2 @@ creation_rules: - - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318 - - pgp: 4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 \ No newline at end of file + - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 \ No newline at end of file diff --git a/tf-secret.enc.json b/tf-secret.enc.json index d39b3c3..ef3c6ea 100644 --- a/tf-secret.enc.json +++ b/tf-secret.enc.json @@ -1,8 +1,8 @@ { - "proxmox_password": "ENC[AES256_GCM,data:nJh4OA782Rl9QGZuWw+AuoeSC9XlDA==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:C0SDWmy05M1HFv/aBhYtIw==,type:str]", - "password": "ENC[AES256_GCM,data:hii1,iv:0343llG5iReX09ZKJ66DD83T5O8JjvqHlIJ86KmD4kc=,tag:dn9U7cszGrXPxS5xBX99RA==,type:str]", + "proxmox_password": "ENC[AES256_GCM,data:uxE9yb3oNK14Vkg0U2BKenl1xWmxoQ==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:FCXWwZMuzbuAtC7k4S/7bw==,type:str]", + "password": "ENC[AES256_GCM,data:RR+W,iv:0343llG5iReX09ZKJ66DD83T5O8JjvqHlIJ86KmD4kc=,tag:e7LpqdxoBrXbghIIy+bgmQ==,type:str]", "db": { - "password": "ENC[AES256_GCM,data:kIuf,iv:WmfIzsMrs5b6jjUOJM6xbqEmh0uyrLYd55CIOQPvtV0=,tag:7WtA3+aOYFvSjiSfLnLT/w==,type:str]" + "password": "ENC[AES256_GCM,data:VHaM,iv:WmfIzsMrs5b6jjUOJM6xbqEmh0uyrLYd55CIOQPvtV0=,tag:NNVJQJWrHE8Cy1Esd+KUuA==,type:str]" }, "sops": { "kms": null, @@ -10,13 +10,18 @@ "azure_kv": null, "hc_vault": null, "age": null, - "lastmodified": "2024-06-01T22:42:11Z", - "mac": "ENC[AES256_GCM,data:BBS5KtNAnzlqToHimjfjU6J2Z0XKKuLi/7To0DVKqFSn9cXK2AB6Fl6Kpb/mdaIzl/S1iHb8Auz73RhRhdG+WmgzfiXR0SX8tcjE80tE3yZ7kgdIF6wCgIwaibC60grqvuHCdJ6l8fFKftqzfotA+clDt4fWr/fYvJiuG3Y1Snc=,iv:I/w1EmYpfX0E5xEIiaVGrZsLX3Tpf+x/NdZJiJUmfwY=,tag:/042ByDamZMRXF2Q/c9a2w==,type:str]", + "lastmodified": "2024-06-09T17:52:21Z", + "mac": "ENC[AES256_GCM,data:SUgdRh6dDy2XoMPNBInbu0Ge8D7ZBbd1Mm2Z3+9wSEmGSVR/coTlBvHHmriiBIrn2pFbzqg6CkVelbASY3jGLuZzxnNzfZs5uvinCX5hyTT2YQpDo3oawI5JR9Mz9V9vQYirOCs/lBfegnBLULN7v9peIocAjiw4p8lIjQt39rE=,iv:iMLLktv1gbIipi8/E4LYAxPqSI+igH912HxKXDNx4DE=,tag:ZK4E/k/aDsAST1UdOw+yHQ==,type:str]", "pgp": [ { "created_at": "2024-06-01T22:06:19Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMAyzbm9WLP+K6AQv/f+yWwcyzlRVpwiA5mzehC582YdXqUkGJ7lTo/L7iYvs+\nKLSi+DOqpN6ytG2sg+7Yoc1HiFLcjYOi/ZWjDSnawbLyVdfr8k84YfD5t7P+bpG2\nMUOZZ94nQMRTAOmWho5tWo5SccXMewi1GQ5h4zzqwXqAf1wPXjzABllXDHuFCndO\nOp/DqpkoR/zleMV7h6qO4g5y9B4mridyy3CLQ2ANKxHrEatYhUgglUnjlrKuZo6V\nWAhIug0opSuY30fzSaJwnP5DOIGBx4BXsp6OfTQBa9rzjDErhuXqpyBhqZKUb+z5\nxeZxTQcrs5xrlCmqhg5eeb2C3MpmVxQNa3C/qlBvK+8fzSSM9to8yFNjlOReI08C\nuuDiLdqHkOglnm3lbH5zznYezNFQDpgAukhC+bX4YE202/6+1CCDvb/1b8OSi+0k\nmISaDcoDyJvGgpcfu9fSmfQDqF9iuPyqGhv+9mw6O997FeYgFFmkKfLOV3j/dzR6\nYAihSv75/JDE33bm1kR01GYBCQIQPAXgIJ3ZO5CLKJUqRZOIq0HYHJe8nGPe20P/\nhAD7mtbac92BKR/Eth0CTQxbTTAWH8uHZvzvSOkXoa9DHhwRt/9YWZlwRHEy/Fx0\nX5I/xPtN92yuPuoTaYUu2XSvazWFhEQ=\n=xCKS\n-----END PGP MESSAGE-----", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMAyzbm9WLP+K6AQv/UzX28IkisSvAfx8Kls5949X5bHGb+9fkW+UZK7YTQzjl\niSyLJyaupWtZuFEUqPJDor+Er1xLJMOYxPvmp/OFZKdWjJho5HAtJD94rrj6NgtJ\njwi7HcKcTid5PnceTW099sFv0YrIJRREIDOJ62Yg6rIGZVQogH4SSF2dRJ8p3cNv\ne18Oq7Ft8wBsApmy34hBDXN/WRvtifb8zdloPCo8axnyTp9WntqiyflBJMi+ZUry\ns9gYp6g7/ae5MyZDjcuHhU5/ZKRBMblzuakHJtSLvrY8GjU7U0F9FlMCpSg+HEJT\nnOf+T2BpPPATqzei/cEn7tC4+ZGm/uqW43uNdgi0D5NRSuRhwzRPE19WI4HO31qK\nbELRK4TPj6KMLegjAIY7cPdkbXVleRKoyAgi9iaB/sVDi0yMkgTomfeLjXlF6GSj\n5fVxSj2cM7DxBg8JIyQyuHTdy860+nJPcuJQ3Jzuv+W5ZNrNMu9en/GgGOH1BKXt\nZaZand3PYVgKHI3W26bx1GgBCQIQwXjm71M7ARtmca+0Kp7GridQf91OQ2mSOqXy\nYXvh+xBJnG5MaJYrK3xER9UL1JIboVzI4cI75tPYL8ptCC5MMJ6m5U3jObV42X5c\nCl7PfYyRir+l+Trc75U93KMMSVf6Xl4rIw==\n=W2AG\n-----END PGP MESSAGE-----", "fp": "D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318" + }, + { + "created_at": "2024-06-09T17:52:21Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA8y7LWrO5vRGAQv+KyqvrRA4YRMIvSwX02eAD+TObgB+EiQ7nQSJC5jqO0UH\njugx7NCCtpAyGeW+Ma3WemQGZlL33UNV44gnuKJlxeklYh1gFng6IF+jX5JZ+khz\noKXtp9fPxer1Bs3gskshNE2XPfUeGXTvo8JeNCxqWR6fY7nBoaHiOCY0VP/YTkZD\nsgunPwc3ae6zn1e7f/QLYa6ULjo1EWyvwVpPCfvsBtARuUboKv+ygE6xiaM2W9pC\n5Rz0sPBLycWOmebZcaYi2cHm/lR1ybVu0sFVzEGoIb5A6xpMhoqjZxfOTMXCw6Ij\ngFP+HjgKa1dQBsuSGcHoQihRqqI1+d4YAyLZXNb04cRg9BHpkbQcyZtSH68ntra+\nQs86e7Wb2uwR0ltP50+MT7ANiRLCMpn+npxruILeN5UoZrSLeYZcwlM/AqYmO673\n5DpOJjHyL+Ce0GLgBEnIJ78HBbkJn21raXamMQ5xaBtn1Fm7rbJkRMHN37OayiV+\ndqL2YE7bqNfRtPhBdsZd1GgBCQIQgCWm++L555vePNoh/BGmHdOpBh+dTyPQTZl/\nzKoxQPVzOansQQFYq8Pz8WGzaH3UN+mLCVqeNUUJLgsa8xiFLpCMkOGwAC0DCHYr\nssKP9AMQGiM8WxQ6PRIzJgW7TGTPttUHdA==\n=+ON3\n-----END PGP MESSAGE-----", + "fp": "4F864F3EA770491488B90B4E8B6CEF1599D3CCB5" } ], "unencrypted_suffix": "_unencrypted",