diff --git a/README.md b/README.md index 0542926..e9bea9a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,11 @@ -## howto create a gpg key +# GPG Key Repo + +Purpose: Manage gpg keys for: +* SOPS + +# Key Management + +## howto create and add a gpg key - please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key - add ONLY the _PUBLIC_ part of your gpg key!!! - checkin via MergeRequest/PullRequest @@ -9,16 +16,47 @@ gpg --import /path/to/keys/*.gpg.pub ### list imported gpg keys gpg --list-keys --keyid-format=long +# EOL: Archive Expired Keys + +To mark a key as expired, move it to the `archive/` dir as follows: + +```bash +mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" +``` + # Configure SOPS +SOPS is used for encrypting secrets, e.g. credentials for various systems + + +## Install + +https://github.com/getsops/sops + +Note: +* MacOS: If desired, one can also use brew to install sops: `brew install sops`; although this is not officially maintained, [the formula is essentially the same as the official installation instructions](https://github.com/Homebrew/homebrew-core/blob/4496ce5131bc09e7065fa0aa8fb96366a3df6477/Formula/s/sops.rb) + +## Usage + +Decrypt and Display Secrets in Terminal: + ```bash GPG_TTY=$(tty) sops secrets.yaml ``` -Note: GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ +Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ + +Note: `secrets.yaml` is just an example; the file can have any name ## Example +The steps in the following example can be run locally in order to: +* create a sample secrets file +* encrypt the file +* decrypt the file + +If these steps work, sops configured correctly - on your machine ;-) + ```bash #!/usr/bin/env bash set -ueo pipefail @@ -29,11 +67,4 @@ sops -e -i secrets.yaml # decript, print to console sops -d secrets.yaml -``` - -# Archive Expired Keys - -```bash -mkdir archive -mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" ``` \ No newline at end of file