32 lines
1.4 KiB
Markdown
32 lines
1.4 KiB
Markdown
# Secrets workflow (sops + age)
|
|
|
|
## Files
|
|
- `creds/age-key.txt`: age private key (keep out of git; store in a password manager). Public key is in the header.
|
|
- `creds/secrets.enc.env`: encrypted dotenv managed by sops/age (committable).
|
|
- `creds/secrets.env`: decrypted dotenv (git-ignored) produced when loading secrets; not committed.
|
|
- Legacy plaintext secrets moved to `creds/deprecated/` for reference.
|
|
|
|
## Editing secrets
|
|
```bash
|
|
# Ensure sops+age binaries are available
|
|
sops creds/secrets.enc.env
|
|
```
|
|
Sops will decrypt, open in $EDITOR, and re-encrypt on save. The age recipient is configured in `.sops.yaml`.
|
|
|
|
## Loading secrets locally
|
|
```bash
|
|
source scripts/load-secrets.sh
|
|
```
|
|
This decrypts `creds/secrets.enc.env` to `creds/secrets.env` if needed (requires sops) and exports all variables.
|
|
|
|
## Adding developers
|
|
- Share `creds/age-key.txt` securely (password manager). They need the age secret key to decrypt.
|
|
- No change to `.sops.yaml` is needed unless you rotate keys.
|
|
|
|
## Deploys/CI
|
|
- `deploy/deploy.sh` sources `scripts/load-secrets.sh`, so providing `creds/secrets.enc.env` + age key is enough for secret env injection.
|
|
|
|
## Rotating keys
|
|
- Generate a new age key: `age-keygen -o creds/age-key.txt` (keep old backup if you need to reencrypt).
|
|
- Update `.sops.yaml` recipient to the new public key.
|
|
- Re-encrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops --encrypt --in-place creds/secrets.enc.env`.
|