You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
3.3 KiB
Markdown
124 lines
3.3 KiB
Markdown
# GPG Key Repo
|
|
|
|
Purpose: Manage gpg keys for:
|
|
* SOPS
|
|
|
|
# Key Management
|
|
|
|
## 1. Onboarding: howto create and add a gpg key
|
|
- please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
|
|
- add ONLY the _PUBLIC_ part of your gpg key!!!
|
|
- checkin via MergeRequest/PullRequest
|
|
|
|
### import gpg keys
|
|
```shell
|
|
gpg --import /path/to/keys/*.gpg.pub
|
|
```
|
|
|
|
### list imported gpg keys
|
|
```shell
|
|
gpg --list-keys --keyid-format=long
|
|
```
|
|
|
|
|
|
### groups
|
|
|
|
Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)
|
|
|
|
```bash
|
|
cd groups/<project_name>
|
|
ln -s ../../<path_to_key.gpg.pub>
|
|
```
|
|
|
|
## 2. Offboarding: Archive Expired Keys (EOL)
|
|
|
|
To mark a key as expired, move it to the `archive/` dir as follows:
|
|
|
|
```bash
|
|
mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"
|
|
```
|
|
|
|
## 3. Configure sops config
|
|
|
|
Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)
|
|
|
|
|
|
The following commands explain how to update the `.sops.yaml` for a repository:
|
|
|
|
```bash
|
|
# E.g. update sops config for DevNSO
|
|
% git clone git@git.dev-at.de:cloud-solutions/nso/devnso-adp-argocd.git
|
|
% cd devnso-adp-argocd/
|
|
|
|
# List available groups
|
|
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups
|
|
# INFO: listing groups
|
|
admin
|
|
automation
|
|
devnso-adp-argocd
|
|
|
|
# For a given group, update sops config and specified secrets file
|
|
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -r devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
|
|
% git diff
|
|
```
|
|
|
|
# Configure SOPS
|
|
|
|
SOPS is used for encrypting secrets, e.g. credentials for various systems
|
|
|
|
|
|
## Install
|
|
|
|
https://github.com/getsops/sops
|
|
|
|
Note:
|
|
* MacOS: If desired, one can also use brew to install sops: `brew install sops`; although this is not officially maintained, [the formula is essentially the same as the official installation instructions](https://github.com/Homebrew/homebrew-core/blob/4496ce5131bc09e7065fa0aa8fb96366a3df6477/Formula/s/sops.rb)
|
|
|
|
## Usage
|
|
|
|
Decrypt and Display Secrets in Terminal:
|
|
|
|
```bash
|
|
GPG_TTY=$(tty) sops secrets.yaml
|
|
```
|
|
|
|
Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
|
|
|
|
Note: `secrets.yaml` is just an example; the file can have any name
|
|
|
|
## Example - Manual
|
|
|
|
The steps in the following example can be run locally in order to:
|
|
* create a sample secrets file
|
|
* encrypt the file
|
|
* decrypt the file
|
|
|
|
If these steps work, sops configured correctly - on your machine ;-)
|
|
|
|
```bash
|
|
#!/usr/bin/env bash
|
|
set -ueo pipefail
|
|
# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
|
|
# PREREQUISITE: valid sops config, i.e. .sops.yaml - Note: most repos already have one
|
|
# further reading: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
|
|
yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml
|
|
# encrypt
|
|
sops -e -i secrets.yaml
|
|
|
|
# decript, print to console
|
|
sops -d secrets.yaml
|
|
```
|
|
|
|
## Example - Automation
|
|
|
|
```shell
|
|
cd verify/
|
|
./usr_confirm_keycfg.sh
|
|
```
|
|
|
|
# Contributing
|
|
|
|
Tests: `./verify/test.sh`
|
|
|
|
Caveat: requires working SOPS config,pgp key, etc
|