docs: add documentation about secret key generation
This commit is contained in:
parent
9860735f82
commit
31f30373a0
2 changed files with 100 additions and 0 deletions
10
README.md
10
README.md
|
|
@ -16,3 +16,13 @@ RailianceHosts is an open-source control repo that provisions and manages server
|
||||||
```
|
```
|
||||||
|
|
||||||
See inline comments across the repo for details. Remember to **encrypt secrets** with SOPS before committing.
|
See inline comments across the repo for details. Remember to **encrypt secrets** with SOPS before committing.
|
||||||
|
|
||||||
|
## 🔑 Secrets Management
|
||||||
|
|
||||||
|
This project uses [SOPS](https://github.com/getsops/sops) with [age](https://age-encryption.org) for secret encryption.
|
||||||
|
To set up your own key and configure SOPS, follow the guide here:
|
||||||
|
|
||||||
|
➡️ [Managing Age Keys](docs/age-keys.md)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
90
docs/age-keys.md
Normal file
90
docs/age-keys.md
Normal file
|
|
@ -0,0 +1,90 @@
|
||||||
|
# 🔑 Managing Age Keys for Secrets
|
||||||
|
|
||||||
|
This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git.
|
||||||
|
You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 1. Generate an Age Keypair
|
||||||
|
|
||||||
|
On your workstation, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
age-keygen -o ~/.config/age/key.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
- This creates a new keypair and stores it at `~/.config/age/key.txt`.
|
||||||
|
- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault).
|
||||||
|
- The public key looks like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
age1qlf....yourpublickey....
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 2. Add Your Public Key to the Repo
|
||||||
|
|
||||||
|
Create (or overwrite) the file:
|
||||||
|
|
||||||
|
```
|
||||||
|
keys/age.pub
|
||||||
|
```
|
||||||
|
|
||||||
|
Put your **public key** inside, e.g.:
|
||||||
|
|
||||||
|
```txt
|
||||||
|
age1qlf....yourpublickey....
|
||||||
|
```
|
||||||
|
|
||||||
|
Commit this file:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git add keys/age.pub
|
||||||
|
git commit -m "Add my age public key"
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 3. Update `.sops.yaml`
|
||||||
|
|
||||||
|
Open `.sops.yaml` in the repo and add your age public key under `creation_rules`:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/.*$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- age1qlf....yourpublickey....
|
||||||
|
```
|
||||||
|
|
||||||
|
You can list multiple keys if several people need access.
|
||||||
|
|
||||||
|
Commit the update:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git add .sops.yaml
|
||||||
|
git commit -m "Configure SOPS with my age key"
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 4. Test Encryption/Decryption
|
||||||
|
|
||||||
|
Encrypt a file:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sops -e secrets/example.yaml > secrets/example.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
Decrypt it back:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sops -d secrets/example.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
If everything works, you are ready to store secrets securely in Git.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
✅ That’s it — your secrets are now protected with your own master key.
|
||||||
Loading…
Add table
Add a link
Reference in a new issue