From 22124e6d99c594229f109b18aaa2c64c54cfa230 Mon Sep 17 00:00:00 2001 From: Hoan To Date: Thu, 13 Feb 2025 14:25:04 +0100 Subject: [PATCH 1/3] added ssp prod key --- smardigo_automation_ssp_prod.gpg.pub | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 smardigo_automation_ssp_prod.gpg.pub diff --git a/smardigo_automation_ssp_prod.gpg.pub b/smardigo_automation_ssp_prod.gpg.pub new file mode 100644 index 0000000..2a0dd39 --- /dev/null +++ b/smardigo_automation_ssp_prod.gpg.pub @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZ63x7xYJKwYBBAHaRw8BAQdAxVEnJjkN/0RE6FlxNJVqUyzJUm4uXaCTjJ0d +6eFSI9+0I3NzcC1wcm9kIDxOU08tVGVhbS1EZXZPcHNAbmV0Z28uZGU+iJAEExYI +ADgWIQSsmw21kPSuIBfCrYNhE662bFEMPwUCZ63x7wIbAwULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRBhE662bFEMP4IXAQCl/C/HZ0WWmSv31GNlcBsIYdvys8Ny +c7qciu6ZAfuJ5wD/X6gsPohLVKZYT01pkiMRjehgBCeAIdYV7++1MnEloQa4OARn +rfHvEgorBgEEAZdVAQUBAQdAD9ikD606qN9oSWmebuqW2VXldozDndn34K6QnXfX +xHMDAQgHiHgEGBYIACAWIQSsmw21kPSuIBfCrYNhE662bFEMPwUCZ63x7wIbDAAK +CRBhE662bFEMP1zaAP94FZkb3Fm0P4fYSuuBLDUZK2dw1qt4lK2MNnFYUTAeBAD7 +BTW3mExgOqq6IXXf0IDvGO1sa6We0Frkm1JZKNR2QwQ= +=4I3G +-----END PGP PUBLIC KEY BLOCK----- From 9b0fad9172248fb67c92a8ef71a350b3418891b6 Mon Sep 17 00:00:00 2001 From: Lee Watson Date: Fri, 14 Feb 2025 12:14:14 +0000 Subject: [PATCH 2/3] ADP-179 doc sops --- README.md | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 59 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a78cba4..680f7cd 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,67 @@ -## howto create a gpg key +# GPG Key Repo + +Purpose: Manage gpg keys for: +* SOPS + +# Key Management + +## howto create and add a gpg key - please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key - add ONLY the _PUBLIC_ part of your gpg key!!! - checkin via MergeRequest/PullRequest ### import gpg keys +```shell gpg --import /path/to/keys/*.gpg.pub +``` ### list imported gpg keys -gpg --list-keys --keyid-format=long \ No newline at end of file +```shell +gpg --list-keys --keyid-format=long +``` + +# Configure SOPS + +SOPS is used for encrypting secrets, e.g. credentials for various systems + +## Install + +https://github.com/getsops/sops + +Note: +* MacOS: If desired, one can also use brew to install sops: `brew install sops`; although this is not officially maintained, [the formula is essentially the same as the official installation instructions](https://github.com/Homebrew/homebrew-core/blob/4496ce5131bc09e7065fa0aa8fb96366a3df6477/Formula/s/sops.rb) + +## Usage + +Decrypt and Display Secrets in Terminal: + +```bash +GPG_TTY=$(tty) sops secrets.yaml +``` + +Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ + +Note: `secrets.yaml` is just an example; the file can have any name + +## Example + +The steps in the following example can be run locally in order to: +* create a sample secrets file +* encrypt the file +* decrypt the file + +If these steps work, sops is configured correctly - on your machine ;-) + +```bash +#!/usr/bin/env bash +set -ueo pipefail +# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321 +# PREREQUISITE: valid sops config, i.e. .sops.yaml - Note: most repos already have one +# further reading: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files +yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml +# encrypt +sops -e -i secrets.yaml + +# decript, print to console +sops -d secrets.yaml +``` \ No newline at end of file From 8df5b8e0842d3a97bb25052c86ced7a1e8b16e33 Mon Sep 17 00:00:00 2001 From: Lee Watson Date: Fri, 14 Feb 2025 12:23:12 +0000 Subject: [PATCH 3/3] ADP-179 sops manage keys archives old keys, updates doc --- README.md | 10 +++++++++- archive/.gitignore | 0 .../joshua.kapfer@netgo.de.gpg.pub.2025.02.04.archived | 0 .../matthias.friedrich@netgo.de.gpg.pub | 0 .../sven.ketelsen@netgo.de.gpg.pub | 0 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 archive/.gitignore rename joshua.kapfer@netgo.de.gpg.pub => archive/joshua.kapfer@netgo.de.gpg.pub.2025.02.04.archived (100%) rename matthias.friedrich@netgo.de.gpg.pub => archive/matthias.friedrich@netgo.de.gpg.pub (100%) rename sven.ketelsen@netgo.de.gpg.pub => archive/sven.ketelsen@netgo.de.gpg.pub (100%) diff --git a/README.md b/README.md index 680f7cd..66e749a 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,14 @@ gpg --import /path/to/keys/*.gpg.pub gpg --list-keys --keyid-format=long ``` +# EOL: Archive Expired Keys + +To mark a key as expired, move it to the `archive/` dir as follows: + +```bash +mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" +``` + # Configure SOPS SOPS is used for encrypting secrets, e.g. credentials for various systems @@ -64,4 +72,4 @@ sops -e -i secrets.yaml # decript, print to console sops -d secrets.yaml -``` \ No newline at end of file +``` diff --git a/archive/.gitignore b/archive/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/joshua.kapfer@netgo.de.gpg.pub b/archive/joshua.kapfer@netgo.de.gpg.pub.2025.02.04.archived similarity index 100% rename from joshua.kapfer@netgo.de.gpg.pub rename to archive/joshua.kapfer@netgo.de.gpg.pub.2025.02.04.archived diff --git a/matthias.friedrich@netgo.de.gpg.pub b/archive/matthias.friedrich@netgo.de.gpg.pub similarity index 100% rename from matthias.friedrich@netgo.de.gpg.pub rename to archive/matthias.friedrich@netgo.de.gpg.pub diff --git a/sven.ketelsen@netgo.de.gpg.pub b/archive/sven.ketelsen@netgo.de.gpg.pub similarity index 100% rename from sven.ketelsen@netgo.de.gpg.pub rename to archive/sven.ketelsen@netgo.de.gpg.pub