Verified Commit 4e0326fe authored by Matthias Adamczyk's avatar Matthias Adamczyk
Browse files

Add secrets/README.md

parent d2522c25
# Secrets store
This directory contains all GPG encrypted secrets to be deployed on our production machines.
## Directory layout
```
└── secrets/
├── .gpg-id # GPG Encryption Key Fingerprints of all sysadmins
├── .public-keys/ # Public Keys of all sysadmins **and** production hosts
├── host-01/ # Secrets for host-01
│ └── .gpg-id # GPG Fingerprint of host-01 and sysadmins
├── host-02/ # Secrets for host-02
┆ └── .gpg-id # GPG Fingerprint of host-02 and sysadmins
```
## Setting up the secrets/ folder
### Adding yourself to the secrets/ folder
1. Create a personal GPG key if you don't have one yet.
Run `gpg --full-gen-key`. Choosing `RSA and RSA (default)` with a keysize of `4096` would be a sensible default.
2. Retrieve the fingerprint of your keypair
```
matti@yunix:~/nixfiles $ gpg --list-keys adamczyk@finf.uni-hannover.de
pub rsa4096 2021-09-01 [C]
-> 5E54CAF39A62A349B8BA024322FE3639ECA2C9EB <- this one
uid [ultimate] Matthias Adamczyk <adamczyk@finf.uni-hannover.de>
[…]
```
3. Copy the fingerprint of your keypair to all `.gpg-id` files:
```
gpg_id=5E54CAF39A62A349B8BA024322FE3639ECA2C9EB
find secrets -type f -name ".gpg-id" | while read -r file; do echo "$gpg_id" >> "$file"; done
```
4. Export your public key to secrets/.public-keys/
```
fingerprint=5E54CAF39A62A349B8BA024322FE3639ECA2C9EB
gpg --armor --export "$fingerprint" > "secrets/.public-keys/$fingerprint"
```
5. Commit the changes you have made so far
6. Ask another operations team member to re-encrypt the password store
### Adding a new host to the secrets/ folder
The process is similar.
1. SSH to the host and become root. Then create a new GPG key:
- Run `gpg --full-gen-key`. Choosing `RSA and RSA (default)` with a keysize of `4096` would be a sensible default.
- **DO NOT SET A PASSWORD!** Otherwise decryption will fail during boot.
2. Retrieve the fingerprint of the keypair:
```
root@host-01:~/ $ gpg --list-keys
sec rsa4096 2014-04-11 [SC] [expires: 2023-04-12]
-> 4L0N9PU8L1CK3Y <- this one
uid [ultimate] host-01 root user <root@host-01>
[…]
```
3. Copy the fingerprint of the keypair to `secrets/host-01/.gpg-id`.
```
matti@yunix:~/nixfiles $ mkdir -p secrets/host-01
matti@yunix:~/nixfiles $ echo 4L0N9PU8L1CK3Y >> secrets/host-01/.gpg-id
```
4. Export the public key to `secrets/.public-keys`
```
matti@yunix:~/nixfiles $ gpg --armor --export 4L0N9PU8L1CK3Y > secrets/.public-keys/host-01
```
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment