coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
b32dfd4f5a2c98e62bbdfcf1ea9d4662c1834d2d
railiance-infra/docs/age-keys.md

2.7 KiB
Raw Blame History

🔑 Managing Age Keys for Secrets

This project uses age + SOPS to manage secrets in Git.
You need to create your own age keypair, add the public key to the repo, and configure SOPS to use it.

0. Install Age & Sops

First, make sure age is installed on your workstation.

sudo apt update
sudo apt install age
age --version

To install Sops grab the binary release and install it.

wget https://github.com/getsops/sops/releases/download/v3.10.2/sops_3.10.2_amd64.deb
sudo apt install ./sops_3.10.2_amd64.deb

1. Generate an Age Keypair

On your workstation, run:

age-keygen -o ~/.config/sops/age/key.txt
  • This creates a new keypair and stores it at ~/.config/sops/age/key.txt.
  • The private key must never be committed to Git. Keep it safe (e.g., in your password manager or vault).
  • The public key looks like this:
age1qlf....yourpublickey....

2. Add Your Public Key to the Repo

Create (or overwrite) the file:

keys/age.pub

Put your public key inside, e.g.:

age1qlf....yourpublickey....

Commit this file:

git add keys/age.pub
git commit -m "Add my age public key"

3. Update .sops.yaml

Open .sops.yaml in the repo and add your age public key under creation_rules:

creation_rules:
  - path_regex: secrets/.*$
    key_groups:
      - age:
          - age1qlf....yourpublickey....

You can list multiple keys if several people need access.

Commit the update:

git add .sops.yaml
git commit -m "Configure SOPS with my age key"

4. Test Encryption/Decryption

Encrypt a file:

sops -e secrets/example.yaml > secrets/example.enc.yaml

Decrypt it back:

sops -d secrets/example.enc.yaml

If everything works, you are ready to store secrets securely in Git.

🔑 Secrets Handling Digest

In RailianceHosts, age private keys never leave your workstation. Secrets in the repo are encrypted to one or more public keys listed in .sops.yaml. To decrypt, you either load your private key into the environment (SOPS_AGE_KEY) or keep it in your local ~/.config/sops/age/keys.txt (never in Git). Ansible and Terraform decrypt files only on the control machine, so plaintext is injected at runtime but never stored on servers. For teams, simply add multiple public keys as recipients; each operator decrypts with their own private key. In CI/CD, the private key is injected securely as a secret variable. This ensures encryption is repo-wide and portable, while private keys remain personal, local, and outside version control.

Thats it — your secrets are now protected with your own master key.

Reference in New Issue View Git Blame Copy Permalink