Eurekin.pl_Cloud/terraform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c09d42c4198b10b996715533e7d97333bdcd1807
terraform/.gpg-keys/README.md
Grzegorz Matoga c09d42c419 Readme update
2024-06-10 09:14:54 +02:00

76 lines
2.5 KiB
Markdown
Raw Blame History

# Initial set-up
On a new laptop, generate new key pair:
```
gpg --generate-key
```
Find the new key and note the fingerprint:
```
gpg --list-keys
[keyboxd]
---------
pub rsa3072 2024-05-30 [SC] [expires: 2031-05-29]
4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
uid [ unknown] Greg Matoga (Test Key) <greg.matoga@gmail.com>
sub rsa3072 2024-05-30 [E] [expires: 2031-05-29]
```
Export the public part and place in this directory:
```
export FINGER_PRINT=4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
gpg --export --armor $FINGER_PRINT > .gpg-keys/new-key.asc
```
Ensure all public keys are imported:
```
for key in .gpg-keys/*.asc; do
gpg --import "$key"
done
```
Now, in order to reencode the vault with new key:
```
sops -r -i --add-pgp $FINGER_PRINT tf-secret.enc.json
```
It should add the fingerprint to the `.sops.yaml`:
```yaml
creation_rules:
- pgp: D4EACAC991E3DF53D9E39FE0CB9CF7B8A8A86318,4F864F3EA770491488B90B4E8B6CEF1599D3CCB5
```
This will reencode all values with new master key and put public keys into the
file. For other options, check [doc adding or removing
keys](https://github.com/getsops/sops?tab=readme-ov-file#27adding-and-removing-keys).
Note that there might be some differences in the command options (e.g. `-r`
instead of positional argument `rotate`).
# More info - usage
In day to day usage, only a single private key is needed to decrypt secrets.
SOPS encrypts the file content with a "data key". That key is then encrypted
with all the public keys (in this repo configured in the `.sops.yaml` file) and
stored in the encoded version of the file under sops.pgp[].enc field. So, any of
the private keys will be able to decrypt the data key.
The data key is encrypted using public keys - once per each public key.
The full public key set is only needed, when rotating the data key. This
reencodes all secrets and stores new set of encoded data keys in the file. So, a
developer wanting to add or remove a key from the set, needs to have all the
public keys available. Since public keys aren't considered a secret, any
developer with a single private key and the set of public keys will be able to
that.
# Keyserver
It's possible to host own keyserver: `hockeypuck`. After configuring gpg client,
the public keys could be uploaded and searched for. This would alleviate the
need to manually import all the keys.
Hockeypuck at base configuration expects a full gpg dump, so it's quite heavy
as files are around 16gb total. It also needs a postgres database.
Reference in New Issue View Git Blame Copy Permalink