# GPG Key Repo Purpose: Manage gpg keys for: * SOPS # Key Management ## 1. Onboarding: howto create and add a gpg key - please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key - add ONLY the _PUBLIC_ part of your gpg key!!! - checkin via MergeRequest/PullRequest ### import gpg keys ```shell gpg --import /path/to/keys/*.gpg.pub ``` ### list imported gpg keys ```shell gpg --list-keys --keyid-format=long ``` ### groups Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`) ```bash cd groups/ ln -s ../../ ``` ## 2. Offboarding: Archive Expired Keys (EOL) To mark a key as expired, move it to the `archive/` dir as follows: ```bash mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" ``` ## 3. Configure sops config Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`) The following commands explain how to update the `.sops.yaml` for a repository: ```bash # E.g. update sops config for DevNSO % git clone git@git.dev-at.de:cloud-solutions/nso/devnso-adp-argocd.git % cd devnso-adp-argocd/ # List available groups % ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups # INFO: listing groups admin automation devnso-adp-argocd # For a given group, update sops config and specified secrets file % ${PATH_TO_THIS_REPO}/bin/update_sops.sh -r devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml % git diff ``` # Configure SOPS SOPS is used for encrypting secrets, e.g. credentials for various systems ## Install https://github.com/getsops/sops Note: * MacOS: If desired, one can also use brew to install sops: `brew install sops`; although this is not officially maintained, [the formula is essentially the same as the official installation instructions](https://github.com/Homebrew/homebrew-core/blob/4496ce5131bc09e7065fa0aa8fb96366a3df6477/Formula/s/sops.rb) ## Usage Decrypt and Display Secrets in Terminal: ```bash GPG_TTY=$(tty) sops secrets.yaml ``` Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ Note: `secrets.yaml` is just an example; the file can have any name ## Example - Manual The steps in the following example can be run locally in order to: * create a sample secrets file * encrypt the file * decrypt the file If these steps work, sops configured correctly - on your machine ;-) ```bash #!/usr/bin/env bash set -ueo pipefail # demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321 # PREREQUISITE: valid sops config, i.e. .sops.yaml - Note: most repos already have one # further reading: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml # encrypt sops -e -i secrets.yaml # decript, print to console sops -d secrets.yaml ``` ## Example - Automation ```shell cd verify/ ./usr_confirm_keycfg.sh ``` # Contributing Tests: `./verify/test.sh` Caveat: requires working SOPS config,pgp key, etc