48 lines
1.3 KiB
Markdown
48 lines
1.3 KiB
Markdown
# Initial set-up
|
|
|
|
On a new laptop, generate new key pair:
|
|
```
|
|
gpg --generate-key
|
|
```
|
|
|
|
Find the new key and note the fingerprint:
|
|
```
|
|
gpg --list-keys
|
|
|
|
[keyboxd]
|
|
---------
|
|
pub rsa3072 2024-05-30 [SC] [expires: 2031-05-29]
|
|
4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
|
|
uid [ unknown] Greg Matoga (Test Key) <greg.matoga@gmail.com>
|
|
sub rsa3072 2024-05-30 [E] [expires: 2031-05-29]
|
|
```
|
|
|
|
Export the public part and place in this directory:
|
|
```
|
|
export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
|
|
gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc
|
|
```
|
|
|
|
Ensure all public keys are imported:
|
|
```
|
|
for key in .gpg-keys/*.asc; do
|
|
gpg --import "$key"
|
|
done
|
|
```
|
|
|
|
Now, in order to reencode the vault with new key:
|
|
```
|
|
sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json
|
|
```
|
|
|
|
It should add the fingerprint to the `.sops.yaml`:
|
|
|
|
```yaml
|
|
creation_rules:
|
|
- pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
|
|
```
|
|
|
|
This will reencode all values with new master key and put public keys into the file. For other
|
|
options, check [doc adding or removing keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys). Note that there might be some differences in the command options (e.g. `-r` instead of positional argument `rotate`).
|
|
|