91 lines
1.6 KiB
Markdown
91 lines
1.6 KiB
Markdown
|
|
# 🔑 Managing Age Keys for Secrets
|
|||
|
|
|
|||
|
|
This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git.
|
|||
|
|
You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## 1. Generate an Age Keypair
|
|||
|
|
|
|||
|
|
On your workstation, run:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
age-keygen -o ~/.config/age/key.txt
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
- This creates a new keypair and stores it at `~/.config/age/key.txt`.
|
|||
|
|
- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault).
|
|||
|
|
- The public key looks like this:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
age1qlf....yourpublickey....
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## 2. Add Your Public Key to the Repo
|
|||
|
|
|
|||
|
|
Create (or overwrite) the file:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
keys/age.pub
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Put your **public key** inside, e.g.:
|
|||
|
|
|
|||
|
|
```txt
|
|||
|
|
age1qlf....yourpublickey....
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Commit this file:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
git add keys/age.pub
|
|||
|
|
git commit -m "Add my age public key"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## 3. Update `.sops.yaml`
|
|||
|
|
|
|||
|
|
Open `.sops.yaml` in the repo and add your age public key under `creation_rules`:
|
|||
|
|
|
|||
|
|
```yaml
|
|||
|
|
creation_rules:
|
|||
|
|
- path_regex: secrets/.*$
|
|||
|
|
key_groups:
|
|||
|
|
- age:
|
|||
|
|
- age1qlf....yourpublickey....
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
You can list multiple keys if several people need access.
|
|||
|
|
|
|||
|
|
Commit the update:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
git add .sops.yaml
|
|||
|
|
git commit -m "Configure SOPS with my age key"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## 4. Test Encryption/Decryption
|
|||
|
|
|
|||
|
|
Encrypt a file:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
sops -e secrets/example.yaml > secrets/example.enc.yaml
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Decrypt it back:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
sops -d secrets/example.enc.yaml
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
If everything works, you are ready to store secrets securely in Git.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
✅ That’s it — your secrets are now protected with your own master key.
|