Added second key to the vault + readme

2024-06-09 19:57:39 +02:00
parent 48f5d766fc
commit 6a833738c2
3 changed files with 59 additions and 8 deletions
--- a/.gpg-keys/README.md
+++ b/.gpg-keys/README.md
@@ -0,0 +1,47 @@
+# Initial set-up
+
+On a new laptop, generate new key pair:
+```
+gpg --generate-key
+```
+
+Find the new key and note the fingerprint:
+```
+gpg --list-keys
+
+[keyboxd]
+---------
+pub   rsa3072 2024-05-30 [SC] [expires: 2031-05-29]
+      4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
+uid           [ unknown] Greg Matoga (Test Key) <greg.matoga@gmail.com>
+sub   rsa3072 2024-05-30 [E] [expires: 2031-05-29]
+```
+
+Export the public part and place in this directory:
+```
+export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
+gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc
+```
+
+Ensure all public keys are imported:
+```
+for key in .gpg-keys/*.asc; do              
+    gpg --import "$key"
+done
+```
+
+Now, in order to reencode the vault with new key:
+```
+sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json
+```
+
+It should add the fingerprint to the `.sops.yaml`:
+
+```yaml
+creation_rules:
+  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
+```
+
+This will reencode all values with new master key and put public keys into the file. For other
+options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).
+