coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
59bc9bbcf4d1b2b97a7d8d40b615df6f9fb5a393
railiance-infra/docs/age-keys.md

109 lines
2.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🔑 Managing Age Keys for Secrets
This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git.
You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it.
---
## 0. Install Age & Sops
First, make sure **age** is installed on your workstation.
```bash
sudo apt update
sudo apt install age
age --version
```
To install Sops grab the binary release and install it.
```bash
wget https://github.com/getsops/sops/releases/download/v3.10.2/sops_3.10.2_amd64.deb
sudo apt install ./sops_3.10.2_amd64.deb
```
## 1. Generate an Age Keypair
On your workstation, run:
```bash
age-keygen -o ~/.config/sops/age/key.txt
```
- This creates a new keypair and stores it at `~/.config/sops/age/key.txt`.
- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault).
- The public key looks like this:
```
age1qlf....yourpublickey....
```
---
## 2. Add Your Public Key to the Repo
Create (or overwrite) the file:
```
keys/age.pub
```
Put your **public key** inside, e.g.:
```txt
age1qlf....yourpublickey....
```
Commit this file:
```bash
git add keys/age.pub
git commit -m "Add my age public key"
```
---
## 3. Update `.sops.yaml`
Open `.sops.yaml` in the repo and add your age public key under `creation_rules`:
```yaml
creation_rules:
- path_regex: secrets/.*$
key_groups:
- age:
- age1qlf....yourpublickey....
```
You can list multiple keys if several people need access.
Commit the update:
```bash
git add .sops.yaml
git commit -m "Configure SOPS with my age key"
```
---
## 4. Test Encryption/Decryption
Encrypt a file:
```bash
sops -e secrets/example.yaml > secrets/example.enc.yaml
```
Decrypt it back:
```bash
sops -d secrets/example.enc.yaml
```
If everything works, you are ready to store secrets securely in Git.
---
✅ Thats it — your secrets are now protected with your own master key.
Reference in New Issue View Git Blame Copy Permalink