lomavuokraus/docs/secrets.md

Secrets workflow (sops + age)

Files

• creds/age-key.txt: age private key (keep out of git; store in a password manager). Public key is in the header.
• creds/secrets.enc.env: encrypted dotenv managed by sops/age (committable).
• creds/secrets.env: decrypted dotenv (git-ignored) produced when loading secrets; not committed.
• Legacy plaintext secrets moved to creds/deprecated/ for reference.

Editing secrets

# Ensure sops+age binaries are available
sops creds/secrets.enc.env

Sops will decrypt, open in $EDITOR, and re-encrypt on save. The age recipient is configured in .sops.yaml.

Loading secrets locally

source scripts/load-secrets.sh

This decrypts creds/secrets.enc.env to creds/secrets.env if needed (requires sops) and exports all variables.

Adding developers

• Share creds/age-key.txt securely (password manager). They need the age secret key to decrypt.
• No change to .sops.yaml is needed unless you rotate keys.

Deploys/CI

• deploy/deploy.sh sources scripts/load-secrets.sh, so providing creds/secrets.enc.env + age key is enough for secret env injection.

Rotating keys

• Generate a new age key: age-keygen -o creds/age-key.txt (keep old backup if you need to reencrypt).
• Update .sops.yaml recipient to the new public key.
• Re-encrypt: SOPS_AGE_KEY_FILE=creds/age-key.txt sops --encrypt --in-place creds/secrets.enc.env.