Clarifications on sops

This commit is contained in:
2026-06-14 19:51:05 +02:00
parent 443b585010
commit 3ab326b597
5 changed files with 320 additions and 1 deletions

View File

@@ -70,3 +70,63 @@ directly. Encryption does not require the private key.
`sso-mfa/bootstrap/decrypt-secrets.sh` requires the private key path and should
be used only in an explicit unlock/apply ceremony. After apply, plaintext files
must be shredded.
## Custody Unlock Helper
Use `sso-mfa/bootstrap/sops-custody-unlock.sh` when an operator needs to run a
SOPS-backed drill, recovery, or lockdown command but the private key is only in
the password safe or offline custody packet.
The helper:
- reads the private age key from a hidden prompt, stdin, or a source file;
- derives the public age recipient with `age-keygen -y`;
- refuses to continue unless it matches the expected recipient;
- writes a `0600` temporary `SOPS_AGE_KEY_FILE`;
- runs the requested command or opens a temporary custody shell; and
- shreds/removes the temporary key file when the command or shell exits.
It must not be used to install the private key permanently on a workstation or
server. The source of truth remains the password safe/offline custody packet.
### Validate Custody Material
From the NetKingdom repo, validate the supplied private key against `keys/age.pub`
without keeping it on disk:
```bash
make sops-custody-check
```
### Run A One-Shot Recovery Drill
For inter-hub:
```bash
make sops-custody-run COMMAND='make -C /home/worsch/inter-hub recovery-drill'
```
The helper prompts for the `AGE-SECRET-KEY-1...` line from the password safe or
offline custody packet, validates it against the registered public recipient,
sets `SOPS_AGE_KEY_FILE` for the command, and removes the temporary key after
the drill exits.
If using a password-manager CLI, pipe only the private key field:
```bash
op read 'op://Platform/NetKingdom custodian age key/private-key' \
| sso-mfa/bootstrap/sops-custody-unlock.sh \
--from-stdin \
-- make -C /home/worsch/inter-hub recovery-drill
```
### Open An Incident Shell
For multi-step recovery or lockdown work:
```bash
make sops-custody-shell
```
Run the required SOPS, recovery, or lockdown commands inside that shell. Exit
the shell to shred the temporary key file.