# Secrets workflow (sops + age)

## Files
- `creds/age-key.txt`: age private key (keep out of git; store in a password manager). Public key is in the header.
- `creds/secrets.enc.env`: encrypted dotenv managed by sops/age (committable).
- `creds/secrets.env`: decrypted dotenv (git-ignored) produced when loading secrets; not committed.
- Legacy plaintext secrets moved to `creds/deprecated/` for reference.

## Editing secrets
```bash
# Ensure sops+age binaries are available
sops creds/secrets.enc.env
```
Sops will decrypt, open in $EDITOR, and re-encrypt on save. The age recipient is configured in `.sops.yaml`.

## Loading secrets locally
```bash
source scripts/load-secrets.sh
```
This decrypts `creds/secrets.enc.env` to `creds/secrets.env` if needed (requires sops) and exports all variables.

## Adding developers
- Share `creds/age-key.txt` securely (password manager). They need the age secret key to decrypt.
- No change to `.sops.yaml` is needed unless you rotate keys.

## Deploys/CI
- `deploy/deploy.sh` sources `scripts/load-secrets.sh`, so providing `creds/secrets.enc.env` + age key is enough for secret env injection.

## Rotating keys
- Generate a new age key: `age-keygen -o creds/age-key.txt` (keep old backup if you need to reencrypt).
- Update `.sops.yaml` recipient to the new public key.
- Re-encrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops --encrypt --in-place creds/secrets.enc.env`.