coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
f977b74edb22ff20b14acfac2fd4bb826b44c792
railiance-infra/docs/age-keys.md

113 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🔑 Managing Age Keys for Secrets
This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git.
You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it.
---
## 0. Install Age & Sops
First, make sure **age** is installed on your workstation.
```bash
sudo apt update
sudo apt install age
age --version
```
To install Sops grab the binary release and install it.
```bash
wget https://github.com/getsops/sops/releases/download/v3.10.2/sops_3.10.2_amd64.deb
sudo apt install ./sops_3.10.2_amd64.deb
```
## 1. Generate an Age Keypair
On your workstation, run:
```bash
age-keygen -o ~/.config/sops/age/key.txt
```
- This creates a new keypair and stores it at `~/.config/sops/age/key.txt`.
- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault).
- The public key looks like this:
```
age1qlf....yourpublickey....
```
---
## 2. Add Your Public Key to the Repo
Create (or overwrite) the file:
```
keys/age.pub
```
Put your **public key** inside, e.g.:
```txt
age1qlf....yourpublickey....
```
Commit this file:
```bash
git add keys/age.pub
git commit -m "Add my age public key"
```
---
## 3. Update `.sops.yaml`
Open `.sops.yaml` in the repo and add your age public key under `creation_rules`:
```yaml
creation_rules:
- path_regex: secrets/.*$
key_groups:
- age:
- age1qlf....yourpublickey....
```
You can list multiple keys if several people need access.
Commit the update:
```bash
git add .sops.yaml
git commit -m "Configure SOPS with my age key"
```
---
## 4. Test Encryption/Decryption
Encrypt a file:
```bash
sops -e secrets/example.yaml > secrets/example.enc.yaml
```
Decrypt it back:
```bash
sops -d secrets/example.enc.yaml
```
If everything works, you are ready to store secrets securely in Git.
---
## 🔑 Secrets Handling Digest
In RailianceHosts, **age private keys never leave your workstation**. Secrets in the repo are encrypted to one or more **public keys** listed in `.sops.yaml`. To decrypt, you either load your private key into the environment (`SOPS_AGE_KEY`) or keep it in your local `~/.config/sops/age/keys.txt` (never in Git). Ansible and Terraform decrypt files only on the control machine, so plaintext is injected at runtime but never stored on servers. For teams, simply add multiple public keys as recipients; each operator decrypts with their own private key. In CI/CD, the private key is injected securely as a secret variable. This ensures encryption is repo-wide and portable, while private keys remain personal, local, and outside version control.
✅ Thats it — your secrets are now protected with your own master key.
Reference in New Issue View Git Blame Copy Permalink