# Initial set-up

On a new laptop, generate new key pair:
```
gpg --generate-key
```

Find the new key and note the fingerprint:
```
gpg --list-keys

[keyboxd]
---------
pub   rsa3072 2024-05-30 [SC] [expires: 2031-05-29]
      4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
uid           [ unknown] Greg Matoga (Test Key) <greg.matoga@gmail.com>
sub   rsa3072 2024-05-30 [E] [expires: 2031-05-29]
```

Export the public part and place in this directory:
```
export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc
```

Ensure all public keys are imported:
```
for key in .gpg-keys/*.asc; do              
    gpg --import "$key"
done
```

Now, in order to reencode the vault with new key:
```
sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json
```

It should add the fingerprint to the `.sops.yaml`:

```yaml
creation_rules:
  - pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
```

This will reencode all values with new master key and put public keys into the file. For other
options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).