Skip to content
GitLab
Menu
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Honeypot
nixfiles
Commits
4e0326fe
Verified
Commit
4e0326fe
authored
Sep 26, 2021
by
Matthias Adamczyk
Browse files
Add secrets/README.md
parent
d2522c25
Changes
1
Hide whitespace changes
Inline
Side-by-side
secrets/README.md
0 → 100644
View file @
4e0326fe
# Secrets store
This directory contains all GPG encrypted secrets to be deployed on our production machines.
## Directory layout
```
┆
└── secrets/
├── .gpg-id # GPG Encryption Key Fingerprints of all sysadmins
├── .public-keys/ # Public Keys of all sysadmins **and** production hosts
│
├── host-01/ # Secrets for host-01
│ └── .gpg-id # GPG Fingerprint of host-01 and sysadmins
│
├── host-02/ # Secrets for host-02
┆ └── .gpg-id # GPG Fingerprint of host-02 and sysadmins
```
## Setting up the secrets/ folder
### Adding yourself to the secrets/ folder
1.
Create a personal GPG key if you don't have one yet.
Run
`gpg --full-gen-key`
. Choosing
`RSA and RSA (default)`
with a keysize of
`4096`
would be a sensible default.
2.
Retrieve the fingerprint of your keypair
```
matti@yunix:~/nixfiles $ gpg --list-keys adamczyk@finf.uni-hannover.de
pub rsa4096 2021-09-01 [C]
-> 5E54CAF39A62A349B8BA024322FE3639ECA2C9EB <- this one
uid [ultimate] Matthias Adamczyk <adamczyk@finf.uni-hannover.de>
[…]
```
3.
Copy the fingerprint of your keypair to all
`.gpg-id`
files:
```
gpg_id=5E54CAF39A62A349B8BA024322FE3639ECA2C9EB
find secrets -type f -name ".gpg-id" | while read -r file; do echo "$gpg_id" >> "$file"; done
```
4.
Export your public key to secrets/.public-keys/
```
fingerprint=5E54CAF39A62A349B8BA024322FE3639ECA2C9EB
gpg --armor --export "$fingerprint" > "secrets/.public-keys/$fingerprint"
```
5.
Commit the changes you have made so far
6.
Ask another operations team member to re-encrypt the password store
### Adding a new host to the secrets/ folder
The process is similar.
1.
SSH to the host and become root. Then create a new GPG key:
-
Run
`gpg --full-gen-key`
. Choosing
`RSA and RSA (default)`
with a keysize of
`4096`
would be a sensible default.
-
**DO NOT SET A PASSWORD!**
Otherwise decryption will fail during boot.
2.
Retrieve the fingerprint of the keypair:
```
root@host-01:~/ $ gpg --list-keys
sec rsa4096 2014-04-11 [SC] [expires: 2023-04-12]
-> 4L0N9PU8L1CK3Y <- this one
uid [ultimate] host-01 root user <root@host-01>
[…]
```
3.
Copy the fingerprint of the keypair to
`secrets/host-01/.gpg-id`
.
```
matti@yunix:~/nixfiles $ mkdir -p secrets/host-01
matti@yunix:~/nixfiles $ echo 4L0N9PU8L1CK3Y >> secrets/host-01/.gpg-id
```
4.
Export the public key to
`secrets/.public-keys`
```
matti@yunix:~/nixfiles $ gpg --armor --export 4L0N9PU8L1CK3Y > secrets/.public-keys/host-01
```
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
