coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

docs: added secrets handling digest

Browse Source
This commit is contained in:
Bernd Worsch
2025-09-13 22:52:18 +02:00
parent 59bc9bbcf4
commit 1192a0cece
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/age-keys.md
View File

@@ -105,4 +105,8 @@ If everything works, you are ready to store secrets securely in Git.
---
## 🔑 Secrets Handling Digest
In RailianceHosts, **age private keys never leave your workstation**. Secrets in the repo are encrypted to one or more **public keys** listed in `.sops.yaml`. To decrypt, you either load your private key into the environment (`SOPS_AGE_KEY`) or keep it in your local `~/.config/sops/age/keys.txt` (never in Git). Ansible and Terraform decrypt files only on the control machine, so plaintext is injected at runtime but never stored on servers. For teams, simply add multiple public keys as recipients; each operator decrypts with their own private key. In CI/CD, the private key is injected securely as a secret variable. This ensures encryption is repo-wide and portable, while private keys remain personal, local, and outside version control.
✅ Thats it — your secrets are now protected with your own master key.