53 lines
1.4 KiB
Markdown
53 lines
1.4 KiB
Markdown
|
# Age Encryption Keys
|
||
|
|
|
||
|
|
⚠️ **CRITICAL**: This directory contains encryption keys that are **NOT committed to Git**.
|
||
|
|
|
||
|
|
## Key Files
|
||
|
|
|
||
|
|
- `age-key.txt` - Age private key for SOPS encryption (GITIGNORED)
|
||
|
|
|
||
|
|
## Backup Checklist
|
||
|
|
|
||
|
|
Before proceeding with any infrastructure work, ensure you have:
|
||
|
|
|
||
|
|
- [ ] Copied `age-key.txt` to password manager
|
||
|
|
- [ ] Created offline backup (printed or encrypted USB)
|
||
|
|
- [ ] Verified backup can decrypt secrets successfully
|
||
|
|
|
||
|
|
## Key Recovery
|
||
|
|
|
||
|
|
If you lose access to `age-key.txt`:
|
||
|
|
|
||
|
|
1. **Check password manager** for backup
|
||
|
|
2. **Check offline backups** (printed copy, USB drive)
|
||
|
|
3. **If no backup exists**: Secrets are PERMANENTLY LOST
|
||
|
|
- You will need to regenerate all secrets
|
||
|
|
- Re-encrypt all `.sops.yaml` files
|
||
|
|
- Update all services with new credentials
|
||
|
|
|
||
|
|
## Generating a New Key
|
||
|
|
|
||
|
|
Only do this if you've lost the original key or need to rotate for security:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# Generate new Age key
|
||
|
|
age-keygen -o age-key.txt
|
||
|
|
|
||
|
|
# Extract public key
|
||
|
|
grep "public key:" age-key.txt
|
||
|
|
|
||
|
|
# Update .sops.yaml in repository root with new public key
|
||
|
|
|
||
|
|
# Re-encrypt all secrets
|
||
|
|
cd ..
|
||
|
|
for file in secrets/**/*.sops.yaml; do
|
||
|
|
SOPS_AGE_KEY_FILE=keys/age-key.txt sops updatekeys -y "$file"
|
||
|
|
done
|
||
|
|
```
|
||
|
|
|
||
|
|
## Security Notes
|
||
|
|
|
||
|
|
- This directory is in `.gitignore`
|
||
|
|
- Keys should never be shared via email, Slack, or unencrypted channels
|
||
|
|
- Always use secure methods for key distribution (password manager, encrypted channels)
|