From 1192a0ceceec5acf778f2deea645821d04a3e034 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Sat, 13 Sep 2025 22:52:18 +0200
Subject: [PATCH] docs: added secrets handling digest

---
 docs/age-keys.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/age-keys.md b/docs/age-keys.md
index 54bc84e..a534091 100644
--- a/docs/age-keys.md
+++ b/docs/age-keys.md
@@ -105,4 +105,8 @@ If everything works, you are ready to store secrets securely in Git.
 
 ---
 
+## 🔑 Secrets Handling Digest
+
+In RailianceHosts, **age private keys never leave your workstation**. Secrets in the repo are encrypted to one or more **public keys** listed in `.sops.yaml`. To decrypt, you either load your private key into the environment (`SOPS_AGE_KEY`) or keep it in your local `~/.config/sops/age/keys.txt` (never in Git). Ansible and Terraform decrypt files only on the control machine, so plaintext is injected at runtime but never stored on servers. For teams, simply add multiple public keys as recipients; each operator decrypts with their own private key. In CI/CD, the private key is injected securely as a secret variable. This ensures encryption is repo-wide and portable, while private keys remain personal, local, and outside version control.
+
 ✅ That’s it — your secrets are now protected with your own master key.