Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../keys/README.md
Pieter 6bc8e508c6 Complete SOPS secrets management setup (#5) 
Completed Issue #5: SOPS Secrets Management

All objectives met:
-  Age encryption key generated (keys/age-key.txt)
-  SOPS configured with Age backend (.sops.yaml)
-  Secrets directory structure created
-  Example encrypted secrets (shared + test client)
-  Comprehensive documentation for key backup
-  Ready for Ansible integration

Security measures:
- Age private key gitignored (keys/age-key.txt)
- Only encrypted .sops.yaml files committed
- Plaintext secrets explicitly excluded
- Key backup procedures documented

Files added:
- .sops.yaml - SOPS configuration with Age public key
- secrets/shared.sops.yaml - Shared secrets (encrypted)
- secrets/clients/test.sops.yaml - Test client secrets (encrypted)
- secrets/README.md - Complete SOPS usage guide
- keys/README.md - Key backup procedures
- keys/.gitignore - Protects private keys

Updated:
- .gitignore - Allow .sops.yaml, block plaintext

Tested:
- Encryption:  Files encrypted successfully
- Decryption:  Secrets decrypt correctly
- Git safety:  Private key excluded from commits

Next: Ready for Zitadel/Nextcloud deployment with secure credentials

Closes #5

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-27 14:23:36 +01:00

52 lines
1.4 KiB
Markdown
Raw Blame History

# Age Encryption Keys
⚠️ **CRITICAL**: This directory contains encryption keys that are **NOT committed to Git**.
## Key Files
- `age-key.txt` - Age private key for SOPS encryption (GITIGNORED)
## Backup Checklist
Before proceeding with any infrastructure work, ensure you have:
- [ ] Copied `age-key.txt` to password manager
- [ ] Created offline backup (printed or encrypted USB)
- [ ] Verified backup can decrypt secrets successfully
## Key Recovery
If you lose access to `age-key.txt`:
1. **Check password manager** for backup
2. **Check offline backups** (printed copy, USB drive)
3. **If no backup exists**: Secrets are PERMANENTLY LOST
- You will need to regenerate all secrets
- Re-encrypt all `.sops.yaml` files
- Update all services with new credentials
## Generating a New Key
Only do this if you've lost the original key or need to rotate for security:
```bash
# Generate new Age key
age-keygen -o age-key.txt
# Extract public key
grep "public key:" age-key.txt
# Update .sops.yaml in repository root with new public key
# Re-encrypt all secrets
cd ..
for file in secrets/**/*.sops.yaml; do
SOPS_AGE_KEY_FILE=keys/age-key.txt sops updatekeys -y "$file"
done
```
## Security Notes
- This directory is in `.gitignore`
- Keys should never be shared via email, Slack, or unencrypted channels
- Always use secure methods for key distribution (password manager, encrypted channels)
Reference in a new issue View git blame Copy permalink