1.6 KiB
1.6 KiB
🔑 Managing Age Keys for Secrets
This project uses age + SOPS to manage secrets in Git.
You need to create your own age keypair, add the public key to the repo, and configure SOPS to use it.
1. Generate an Age Keypair
On your workstation, run:
age-keygen -o ~/.config/age/key.txt
- This creates a new keypair and stores it at
~/.config/age/key.txt. - The private key must never be committed to Git. Keep it safe (e.g., in your password manager or vault).
- The public key looks like this:
age1qlf....yourpublickey....
2. Add Your Public Key to the Repo
Create (or overwrite) the file:
keys/age.pub
Put your public key inside, e.g.:
age1qlf....yourpublickey....
Commit this file:
git add keys/age.pub
git commit -m "Add my age public key"
3. Update .sops.yaml
Open .sops.yaml in the repo and add your age public key under creation_rules:
creation_rules:
- path_regex: secrets/.*$
key_groups:
- age:
- age1qlf....yourpublickey....
You can list multiple keys if several people need access.
Commit the update:
git add .sops.yaml
git commit -m "Configure SOPS with my age key"
4. Test Encryption/Decryption
Encrypt a file:
sops -e secrets/example.yaml > secrets/example.enc.yaml
Decrypt it back:
sops -d secrets/example.enc.yaml
If everything works, you are ready to store secrets securely in Git.
✅ That’s it — your secrets are now protected with your own master key.