Readme update

.gpg-keys/README.md

@@ -42,6 +42,35 @@ creation_rules:
   - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
 ```
 
-This will reencode all values with new master key and put public keys into the file. For other
+This will reencode all values with new master key and put public keys into the
-options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).
+file. For other options, check [doc adding or removing
+keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys).
+Note that there might be some differences in the command options (e.g. `-r`
+instead of positional argument `rotate`).
 
+# More info - usage
+
+In day to day usage, only a single private key is needed to decrypt secrets. 
+
+SOPS encrypts the file content with a "data key". That key is then encrypted
+with all the public keys (in this repo configured in the `.sops.yaml` file) and
+stored in the encoded version of the file under sops.pgp[].enc field. So, any of
+the private keys will be able to decrypt the data key.
+
+The data key is encrypted using public keys - once per each public key.
+
+The full public key set is only needed, when rotating the data key. This
+reencodes all secrets and stores new set of encoded data keys in the file. So, a
+developer wanting to add or remove a key from the set, needs to have all the
+public keys available. Since public keys aren't considered a secret, any
+developer with a single private key and the set of public keys will be able to
+that.
+
+# Keyserver
+
+It's possible to host own keyserver: `hockeypuck`. After configuring gpg client,
+the public keys could be uploaded and searched for. This would alleviate the
+need to manually import all the keys.
+
+Hockeypuck at base configuration expects a full gpg dump, so it's quite heavy
+as files are around 16gb total. It also needs a postgres database.

.sops.yaml

@@ -1,2 +1,4 @@
 creation_rules:
-  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
+  - pgp: >-
+      D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,
+      4F864F3EA770491488B90B4E8B6CEF1599D3CCB5

tf-secret.enc.json

@@ -1,14 +1,14 @@
 {
 	"proxmox_password": "ENC[AES256_GCM,data:uxE9yb3oNK14Vkg0U2BKenl1xWmxoQ==,iv:og2UtENmuPFQy2YqcLWYWQpIQPQM4RU0jKEvfLsrVGs=,tag:FCXWwZMuzbuAtC7k4S/7bw==,type:str]",
-	"password": "ENC[AES256_GCM,data:syv7,iv:Q5LgA1qgq8LCYkiOBi7nqnutEuOMbVZCXFd4sR2pUKc=,tag:A4lrj3pWas6wIxfPsZNBvA==,type:str]",
+	"password": "ENC[AES256_GCM,data:ecd/,iv:nRkYYDmfmHqWr2qTF/+lyoXBHZ8Q8LsusxmUTCfBhPI=,tag:bu6Ic1Hb8Bfl0THBgFV0wg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-06-09T18:02:10Z",
+		"lastmodified": "2024-06-09T18:24:52Z",
-		"mac": "ENC[AES256_GCM,data:gN/8NQFMx/B0qLn8umhJl/j74CqckoCw5WSdZ0akTkWMDkbcvp/KlSjoQFzgGbwB5yWetLa/SL+IMDlnM2eyNGf3r/bcCvyC9ZvFX+3yQtskCO6i6buuib9zy5h+W0bWRSTOL7CKHdCxwve9aY4sTnLKzwhM9R5ibaG5vFMehyU=,iv:POUojbGqToASkEIHnq4OAw5fgU2MyU9C3hbtjBpWffU=,tag:NqHgGL+2IfKsVR8RSwqgbA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:EFOnsz9cYFsf5z6jOt5VO86E3E9zSTOQGmlvLTsYelYdJrZzQ4Tpxkbx1d0qrRggVGiWgZBzBBXNvtkWtTEn+hW3ZwEH2Z5acaNe77BLd4tfHzjdsZnfwMGKNdqi4yJe9mG+e+4Vo+ay64w1C1VgB3nfiDmSu02KcWELCigGo3Y=,iv:lFtmv9uSAJiPOzEuxgRjudka/g3nEWLkt832aIiSOco=,tag:KxFCWeevt46nJc2QnwkCRA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-06-01T22:06:19Z",