Eurekin.pl_Cloud/terraform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Readme update

Browse Source
This commit is contained in:
Grzegorz Matoga
2024-06-10 09:14:54 +02:00
parent 24249f65a5
commit c09d42c419
3 changed files with 37 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.gpg-keys/README.md
View File

@@ -42,6 +42,35 @@ creation_rules:
- pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
```
This will reencode all values with new master key and put public keys into the file. For other
options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).
This will reencode all values with new master key and put public keys into the
file. For other options, check [doc adding or removing
keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys).
Note that there might be some differences in the command options (e.g. `-r`
instead of positional argument `rotate`).
# More info - usage
In day to day usage, only a single private key is needed to decrypt secrets.
SOPS encrypts the file content with a "data key". That key is then encrypted
with all the public keys (in this repo configured in the `.sops.yaml` file) and
stored in the encoded version of the file under sops.pgp[].enc field. So, any of
the private keys will be able to decrypt the data key.
The data key is encrypted using public keys - once per each public key.
The full public key set is only needed, when rotating the data key. This
reencodes all secrets and stores new set of encoded data keys in the file. So, a
developer wanting to add or remove a key from the set, needs to have all the
public keys available. Since public keys aren't considered a secret, any
developer with a single private key and the set of public keys will be able to
that.
# Keyserver
It's possible to host own keyserver: `hockeypuck`. After configuring gpg client,
the public keys could be uploaded and searched for. This would alleviate the
need to manually import all the keys.
Hockeypuck at base configuration expects a full gpg dump, so it's quite heavy
as files are around 16gb total. It also needs a postgres database.