generated from coulomb/repo-seed
Clarifications on sops
This commit is contained in:
@@ -70,3 +70,63 @@ directly. Encryption does not require the private key.
|
||||
`sso-mfa/bootstrap/decrypt-secrets.sh` requires the private key path and should
|
||||
be used only in an explicit unlock/apply ceremony. After apply, plaintext files
|
||||
must be shredded.
|
||||
|
||||
## Custody Unlock Helper
|
||||
|
||||
Use `sso-mfa/bootstrap/sops-custody-unlock.sh` when an operator needs to run a
|
||||
SOPS-backed drill, recovery, or lockdown command but the private key is only in
|
||||
the password safe or offline custody packet.
|
||||
|
||||
The helper:
|
||||
|
||||
- reads the private age key from a hidden prompt, stdin, or a source file;
|
||||
- derives the public age recipient with `age-keygen -y`;
|
||||
- refuses to continue unless it matches the expected recipient;
|
||||
- writes a `0600` temporary `SOPS_AGE_KEY_FILE`;
|
||||
- runs the requested command or opens a temporary custody shell; and
|
||||
- shreds/removes the temporary key file when the command or shell exits.
|
||||
|
||||
It must not be used to install the private key permanently on a workstation or
|
||||
server. The source of truth remains the password safe/offline custody packet.
|
||||
|
||||
### Validate Custody Material
|
||||
|
||||
From the NetKingdom repo, validate the supplied private key against `keys/age.pub`
|
||||
without keeping it on disk:
|
||||
|
||||
```bash
|
||||
make sops-custody-check
|
||||
```
|
||||
|
||||
### Run A One-Shot Recovery Drill
|
||||
|
||||
For inter-hub:
|
||||
|
||||
```bash
|
||||
make sops-custody-run COMMAND='make -C /home/worsch/inter-hub recovery-drill'
|
||||
```
|
||||
|
||||
The helper prompts for the `AGE-SECRET-KEY-1...` line from the password safe or
|
||||
offline custody packet, validates it against the registered public recipient,
|
||||
sets `SOPS_AGE_KEY_FILE` for the command, and removes the temporary key after
|
||||
the drill exits.
|
||||
|
||||
If using a password-manager CLI, pipe only the private key field:
|
||||
|
||||
```bash
|
||||
op read 'op://Platform/NetKingdom custodian age key/private-key' \
|
||||
| sso-mfa/bootstrap/sops-custody-unlock.sh \
|
||||
--from-stdin \
|
||||
-- make -C /home/worsch/inter-hub recovery-drill
|
||||
```
|
||||
|
||||
### Open An Incident Shell
|
||||
|
||||
For multi-step recovery or lockdown work:
|
||||
|
||||
```bash
|
||||
make sops-custody-shell
|
||||
```
|
||||
|
||||
Run the required SOPS, recovery, or lockdown commands inside that shell. Exit
|
||||
the shell to shred the temporary key file.
|
||||
|
||||
Reference in New Issue
Block a user