diff --git a/README.md b/README.md index 85dd3ce..cb58345 100644 --- a/README.md +++ b/README.md @@ -16,3 +16,13 @@ RailianceHosts is an open-source control repo that provisions and manages server ``` See inline comments across the repo for details. Remember to **encrypt secrets** with SOPS before committing. + +## πŸ”‘ Secrets Management + +This project uses [SOPS](https://github.com/getsops/sops) with [age](https://age-encryption.org) for secret encryption. +To set up your own key and configure SOPS, follow the guide here: + +➑️ [Managing Age Keys](docs/age-keys.md) + + + diff --git a/docs/age-keys.md b/docs/age-keys.md new file mode 100644 index 0000000..469cc0b --- /dev/null +++ b/docs/age-keys.md @@ -0,0 +1,90 @@ +# πŸ”‘ Managing Age Keys for Secrets + +This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git. +You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it. + +--- + +## 1. Generate an Age Keypair + +On your workstation, run: + +```bash +age-keygen -o ~/.config/age/key.txt +``` + +- This creates a new keypair and stores it at `~/.config/age/key.txt`. +- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault). +- The public key looks like this: + +``` +age1qlf....yourpublickey.... +``` + +--- + +## 2. Add Your Public Key to the Repo + +Create (or overwrite) the file: + +``` +keys/age.pub +``` + +Put your **public key** inside, e.g.: + +```txt +age1qlf....yourpublickey.... +``` + +Commit this file: + +```bash +git add keys/age.pub +git commit -m "Add my age public key" +``` + +--- + +## 3. Update `.sops.yaml` + +Open `.sops.yaml` in the repo and add your age public key under `creation_rules`: + +```yaml +creation_rules: + - path_regex: secrets/.*$ + key_groups: + - age: + - age1qlf....yourpublickey.... +``` + +You can list multiple keys if several people need access. + +Commit the update: + +```bash +git add .sops.yaml +git commit -m "Configure SOPS with my age key" +``` + +--- + +## 4. Test Encryption/Decryption + +Encrypt a file: + +```bash +sops -e secrets/example.yaml > secrets/example.enc.yaml +``` + +Decrypt it back: + +```bash +sops -d secrets/example.enc.yaml +``` + +If everything works, you are ready to store secrets securely in Git. + +--- + +βœ… That’s it β€” your secrets are now protected with your own master key.