2.0 KiB
2.0 KiB
🔑 Managing Age Keys for Secrets
This project uses age + SOPS to manage secrets in Git.
You need to create your own age keypair, add the public key to the repo, and configure SOPS to use it.
0. Install Age & Sops
First, make sure age is installed on your workstation.
sudo apt update
sudo apt install age
age --version
To install Sops grab the binary release and install it.
wget https://github.com/getsops/sops/releases/download/v3.10.2/sops_3.10.2_amd64.deb
sudo apt install ./sops_3.10.2_amd64.deb
1. Generate an Age Keypair
On your workstation, run:
age-keygen -o ~/.config/sops/age/key.txt
- This creates a new keypair and stores it at
~/.config/sops/age/key.txt. - The private key must never be committed to Git. Keep it safe (e.g., in your password manager or vault).
- The public key looks like this:
age1qlf....yourpublickey....
2. Add Your Public Key to the Repo
Create (or overwrite) the file:
keys/age.pub
Put your public key inside, e.g.:
age1qlf....yourpublickey....
Commit this file:
git add keys/age.pub
git commit -m "Add my age public key"
3. Update .sops.yaml
Open .sops.yaml in the repo and add your age public key under creation_rules:
creation_rules:
- path_regex: secrets/.*$
key_groups:
- age:
- age1qlf....yourpublickey....
You can list multiple keys if several people need access.
Commit the update:
git add .sops.yaml
git commit -m "Configure SOPS with my age key"
4. Test Encryption/Decryption
Encrypt a file:
sops -e secrets/example.yaml > secrets/example.enc.yaml
Decrypt it back:
sops -d secrets/example.enc.yaml
If everything works, you are ready to store secrets securely in Git.
✅ That’s it — your secrets are now protected with your own master key.