diff --git a/.gpg-keys/README.md b/.gpg-keys/README.md index 89588ab..c21bd3d 100644 --- a/.gpg-keys/README.md +++ b/.gpg-keys/README.md @@ -42,6 +42,35 @@ creation_rules: - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 ``` -This will reencode all values with new master key and put public keys into the file. For other -options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`). +This will reencode all values with new master key and put public keys into the +file. For other options, check [doc adding or removing +keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). +Note that there might be some differences in the command options (e.g. `-r` +instead of positional argument `rotate`). +# More info - usage + +In day to day usage, only a single private key is needed to decrypt secrets. + +SOPS encrypts the file content with a "data key". That key is then encrypted +with all the public keys (in this repo configured in the `.sops.yaml` file) and +stored in the encoded version of the file under sops.pgp[].enc field. So, any of +the private keys will be able to decrypt the data key. + +The data key is encrypted using public keys - once per each public key. + +The full public key set is only needed, when rotating the data key. This +reencodes all secrets and stores new set of encoded data keys in the file. So, a +developer wanting to add or remove a key from the set, needs to have all the +public keys available. Since public keys aren't considered a secret, any +developer with a single private key and the set of public keys will be able to +that. + +# Keyserver + +It's possible to host own keyserver: `hockeypuck`. After configuring gpg client, +the public keys could be uploaded and searched for. This would alleviate the +need to manually import all the keys. + +Hockeypuck at base configuration expects a full gpg dump, so it's quite heavy +as files are around 16gb total. It also needs a postgres database. \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml index 1963807..99dd15e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,2 +1,4 @@ creation_rules: - - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 \ No newline at end of file + - pgp: >- + D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318, + 4F864F3EA770491488B90B4E8B6CEF1599D3CCB5 \ No newline at end of file diff --git a/tf-secret.enc.json b/tf-secret.enc.json index e217f46..71a18b3 100644 --- a/tf-secret.enc.json +++ b/tf-secret.enc.json @@ -1,14 +1,14 @@ { "proxmox_password": "ENC[AES256_GCM,data:uxE9yb3oNK14Vkg0U2BKenl1xWmxoQ==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:FCXWwZMuzbuAtC7k4S/7bw==,type:str]", - "password": "ENC[AES256_GCM,data:syv7,iv:Q5LgA1qgq8LCYkiOBi7nqnutEuOMbVZCXFd4sR2pUKc=,tag:A4lrj3pWas6wIxfPsZNBvA==,type:str]", + "password": "ENC[AES256_GCM,data:ecd/,iv:nRkYYDmfmHqWr2qTF/+lyoXBHZ8Q8LsusxmUTCfBhPI=,tag:bu6Ic1Hb8Bfl0THBgFV0wg==,type:str]", "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "hc_vault": null, "age": null, - "lastmodified": "2024-06-09T18:02:10Z", - "mac": "ENC[AES256_GCM,data:gN/8NQFMx/B0qLn8umhJl/j74CqckoCw5WSdZ0akTkWMDkbcvp/KlSjoQFzgGbwB5yWetLa/SL+IMDlnM2eyNGf3r/bcCvyC9ZvFX+3yQtskCO6i6buuib9zy5h+W0bWRSTOL7CKHdCxwve9aY4sTnLKzwhM9R5ibaG5vFMehyU=,iv:POUojbGqToASkEIHnq4OAw5fgU2MyU9C3hbtjBpWffU=,tag:NqHgGL+2IfKsVR8RSwqgbA==,type:str]", + "lastmodified": "2024-06-09T18:24:52Z", + "mac": "ENC[AES256_GCM,data:EFOnsz9cYFsf5z6jOt5VO86E3E9zSTOQGmlvLTsYelYdJrZzQ4Tpxkbx1d0qrRggVGiWgZBzBBXNvtkWtTEn+hW3ZwEH2Z5acaNe77BLd4tfHzjdsZnfwMGKNdqi4yJe9mG+e+4Vo+ay64w1C1VgB3nfiDmSu02KcWELCigGo3Y=,iv:lFtmv9uSAJiPOzEuxgRjudka/g3nEWLkt832aIiSOco=,tag:KxFCWeevt46nJc2QnwkCRA==,type:str]", "pgp": [ { "created_at": "2024-06-01T22:06:19Z",