diff --git a/docs/age-keys.md b/docs/age-keys.md index 54bc84e..a534091 100644 --- a/docs/age-keys.md +++ b/docs/age-keys.md @@ -105,4 +105,8 @@ If everything works, you are ready to store secrets securely in Git. --- +## ๐Ÿ”‘ Secrets Handling Digest + +In RailianceHosts, **age private keys never leave your workstation**. Secrets in the repo are encrypted to one or more **public keys** listed in `.sops.yaml`. To decrypt, you either load your private key into the environment (`SOPS_AGE_KEY`) or keep it in your local `~/.config/sops/age/keys.txt` (never in Git). Ansible and Terraform decrypt files only on the control machine, so plaintext is injected at runtime but never stored on servers. For teams, simply add multiple public keys as recipients; each operator decrypts with their own private key. In CI/CD, the private key is injected securely as a secret variable. This ensures encryption is repo-wide and portable, while private keys remain personal, local, and outside version control. + โœ… Thatโ€™s it โ€” your secrets are now protected with your own master key.