Added second key to the vault + readme

2024-06-09 19:57:39 +02:00
parent 48f5d766fc
commit 6a833738c2
3 changed files with 59 additions and 8 deletions
--- a/.gpg-keys/README.md
+++ b/.gpg-keys/README.md
@@ -0,0 +1,47 @@
 # Initial set-up
 On a new laptop, generate new key pair:
 ```
 gpg --generate-key
 ```
 Find the new key and note the fingerprint:
 ```
 gpg --list-keys
 [keyboxd]
 ---------
 pub   rsa3072 2024-05-30 [SC] [expires: 2031-05-29]
      4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
 uid           [ unknown] Greg Matoga (Test Key) <greg.matoga@gmail.com>
 sub   rsa3072 2024-05-30 [E] [expires: 2031-05-29]
 ```
 Export the public part and place in this directory:
 ```
 export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
 gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc
 ```
 Ensure all public keys are imported:
 ```
 for key in .gpg-keys/*.asc; do              
    gpg --import "$key"
 done
 ```
 Now, in order to reencode the vault with new key:
 ```
 sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json
 ```
 It should add the fingerprint to the `.sops.yaml`:
 ```yaml
 creation_rules:
  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
 ```
 This will reencode all values with new master key and put public keys into the file. For other
 options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,3 +1,2 @@
 creation_rules:
-  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318
+  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
  - pgp: 4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
--- a/tf-secret.enc.json
+++ b/tf-secret.enc.json
@@ -1,8 +1,8 @@
 {
-	"proxmox_password": "ENC[AES256_GCM,data:nJh4OA782Rl9QGZuWw+AuoeSC9XlDA==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:C0SDWmy05M1HFv/aBhYtIw==,type:str]",
+	"proxmox_password": "ENC[AES256_GCM,data:uxE9yb3oNK14Vkg0U2BKenl1xWmxoQ==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:FCXWwZMuzbuAtC7k4S/7bw==,type:str]",
-	"password": "ENC[AES256_GCM,data:hii1,iv:0343llG5iReX09ZKJ66DD83T5O8JjvqHlIJ86KmD4kc=,tag:dn9U7cszGrXPxS5xBX99RA==,type:str]",
+	"password": "ENC[AES256_GCM,data:RR+W,iv:0343llG5iReX09ZKJ66DD83T5O8JjvqHlIJ86KmD4kc=,tag:e7LpqdxoBrXbghIIy+bgmQ==,type:str]",
 	"db": {
-		"password": "ENC[AES256_GCM,data:kIuf,iv:WmfIzsMrs5b6jjUOJM6xbqEmh0uyrLYd55CIOQPvtV0=,tag:7WtA3+aOYFvSjiSfLnLT/w==,type:str]"
+		"password": "ENC[AES256_GCM,data:VHaM,iv:WmfIzsMrs5b6jjUOJM6xbqEmh0uyrLYd55CIOQPvtV0=,tag:NNVJQJWrHE8Cy1Esd+KUuA==,type:str]"
 	},
 	"sops": {
 		"kms": null,
@@ -10,13 +10,18 @@
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-06-01T22:42:11Z",
+		"lastmodified": "2024-06-09T17:52:21Z",
-		"mac": "ENC[AES256_GCM,data:BBS5KtNAnzlqToHimjfjU6J2Z0XKKuLi/7To0DVKqFSn9cXK2AB6Fl6Kpb/mdaIzl/S1iHb8Auz73RhRhdG+WmgzfiXR0SX8tcjE80tE3yZ7kgdIF6wCgIwaibC60grqvuHCdJ6l8fFKftqzfotA+clDt4fWr/fYvJiuG3Y1Snc=,iv:I/w1EmYpfX0E5xEIiaVGrZsLX3Tpf+x/NdZJiJUmfwY=,tag:/042ByDamZMRXF2Q/c9a2w==,type:str]",
+		"mac": "ENC[AES256_GCM,data:SUgdRh6dDy2XoMPNBInbu0Ge8D7ZBbd1Mm2Z3+9wSEmGSVR/coTlBvHHmriiBIrn2pFbzqg6CkVelbASY3jGLuZzxnNzfZs5uvinCX5hyTT2YQpDo3oawI5JR9Mz9V9vQYirOCs/lBfegnBLULN7v9peIocAjiw4p8lIjQt39rE=,iv:iMLLktv1gbIipi8/E4LYAxPqSI+igH912HxKXDNx4DE=,tag:ZK4E/k/aDsAST1UdOw+yHQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-06-01T22:06:19Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMAyzbm9WLP+K6AQv/f+yWwcyzlRVpwiA5mzehC582YdXqUkGJ7lTo/L7iYvs+\nKLSi+DOqpN6ytG2sg+7Yoc1HiFLcjYOi/ZWjDSnawbLyVdfr8k84YfD5t7P+bpG2\nMUOZZ94nQMRTAOmWho5tWo5SccXMewi1GQ5h4zzqwXqAf1wPXjzABllXDHuFCndO\nOp/DqpkoR/zleMV7h6qO4g5y9B4mridyy3CLQ2ANKxHrEatYhUgglUnjlrKuZo6V\nWAhIug0opSuY30fzSaJwnP5DOIGBx4BXsp6OfTQBa9rzjDErhuXqpyBhqZKUb+z5\nxeZxTQcrs5xrlCmqhg5eeb2C3MpmVxQNa3C/qlBvK+8fzSSM9to8yFNjlOReI08C\nuuDiLdqHkOglnm3lbH5zznYezNFQDpgAukhC+bX4YE202/6+1CCDvb/1b8OSi+0k\nmISaDcoDyJvGgpcfu9fSmfQDqF9iuPyqGhv+9mw6O997FeYgFFmkKfLOV3j/dzR6\nYAihSv75/JDE33bm1kR01GYBCQIQPAXgIJ3ZO5CLKJUqRZOIq0HYHJe8nGPe20P/\nhAD7mtbac92BKR/Eth0CTQxbTTAWH8uHZvzvSOkXoa9DHhwRt/9YWZlwRHEy/Fx0\nX5I/xPtN92yuPuoTaYUu2XSvazWFhEQ=\n=xCKS\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMAyzbm9WLP+K6AQv/UzX28IkisSvAfx8Kls5949X5bHGb+9fkW+UZK7YTQzjl\niSyLJyaupWtZuFEUqPJDor+Er1xLJMOYxPvmp/OFZKdWjJho5HAtJD94rrj6NgtJ\njwi7HcKcTid5PnceTW099sFv0YrIJRREIDOJ62Yg6rIGZVQogH4SSF2dRJ8p3cNv\ne18Oq7Ft8wBsApmy34hBDXN/WRvtifb8zdloPCo8axnyTp9WntqiyflBJMi+ZUry\ns9gYp6g7/ae5MyZDjcuHhU5/ZKRBMblzuakHJtSLvrY8GjU7U0F9FlMCpSg+HEJT\nnOf+T2BpPPATqzei/cEn7tC4+ZGm/uqW43uNdgi0D5NRSuRhwzRPE19WI4HO31qK\nbELRK4TPj6KMLegjAIY7cPdkbXVleRKoyAgi9iaB/sVDi0yMkgTomfeLjXlF6GSj\n5fVxSj2cM7DxBg8JIyQyuHTdy860+nJPcuJQ3Jzuv+W5ZNrNMu9en/GgGOH1BKXt\nZaZand3PYVgKHI3W26bx1GgBCQIQwXjm71M7ARtmca+0Kp7GridQf91OQ2mSOqXy\nYXvh+xBJnG5MaJYrK3xER9UL1JIboVzI4cI75tPYL8ptCC5MMJ6m5U3jObV42X5c\nCl7PfYyRir+l+Trc75U93KMMSVf6Xl4rIw==\n=W2AG\n-----END PGP MESSAGE-----",
 				"fp": "D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318"
 			},
 			{
 				"created_at": "2024-06-09T17:52:21Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA8y7LWrO5vRGAQv+KyqvrRA4YRMIvSwX02eAD+TObgB+EiQ7nQSJC5jqO0UH\njugx7NCCtpAyGeW+Ma3WemQGZlL33UNV44gnuKJlxeklYh1gFng6IF+jX5JZ+khz\noKXtp9fPxer1Bs3gskshNE2XPfUeGXTvo8JeNCxqWR6fY7nBoaHiOCY0VP/YTkZD\nsgunPwc3ae6zn1e7f/QLYa6ULjo1EWyvwVpPCfvsBtARuUboKv+ygE6xiaM2W9pC\n5Rz0sPBLycWOmebZcaYi2cHm/lR1ybVu0sFVzEGoIb5A6xpMhoqjZxfOTMXCw6Ij\ngFP+HjgKa1dQBsuSGcHoQihRqqI1+d4YAyLZXNb04cRg9BHpkbQcyZtSH68ntra+\nQs86e7Wb2uwR0ltP50+MT7ANiRLCMpn+npxruILeN5UoZrSLeYZcwlM/AqYmO673\n5DpOJjHyL+Ce0GLgBEnIJ78HBbkJn21raXamMQ5xaBtn1Fm7rbJkRMHN37OayiV+\ndqL2YE7bqNfRtPhBdsZd1GgBCQIQgCWm++L555vePNoh/BGmHdOpBh+dTyPQTZl/\nzKoxQPVzOansQQFYq8Pz8WGzaH3UN+mLCVqeNUUJLgsa8xiFLpCMkOGwAC0DCHYr\nssKP9AMQGiM8WxQ6PRIzJgW7TGTPttUHdA==\n=+ON3\n-----END PGP MESSAGE-----",
 				"fp": "4F864F3EA770491488B90B4E8B6CEF1599D3CCB5"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",