Skip to content

Change the secrets encryption key

All the platform secrets are located in the secrets/secrets.yaml and encrypted with [sops ].

On the main branch this file is encrypted by a sample age key located at the root of the project (sample_age_key.txt) and contains fake secrets. While you can use this sample key for testing, it's better to change it before doing anything with the secrets file.

Start by making the sample age key reachable to sops by putting it in its well-known location:

$ mkdir -p ~/.config/sops/age
$ cat sample_age_key.txt >> ~/.config/sops/age/keys.txt

PS> New-Item -Path $env:APPDATA\sops\age -ItemType Directory
PS> Copy-Item .\sample_age_key.txt $env:APPDATA/sops/age/keys.txt

Note

The following shows a rotation with a new Age key. Note that you can use any other key that sops understands. Check the sops documentation. You can also add other type of keys later on. We recommend to continue to use age at this stage.

Then create your own key:

$ age-keygen >> ~/.config/sops/age/keys.txt
Public key: age1...

PS> age-keygen >> $env:APPDATA\sops\age\keys.txt
Public key: age1...
Derive the age key from a ssh key

The age key can be derived from a ssh key. This is convenient as a SSH key may be used to access the repository.

The ssh-to-age project provides a command to convert an existing ed25519 ssh key into a valid age key:

$ go install github.com/Mic92/ssh-to-age/cmd/ssh-to-age@latest
$ ssh-to-age -private-key -i ~/.ssh/id_ed25519 >> ~/.config/sops/age/keys.txt
$ NEWKEY=$(ssh-to-age -i ~/.ssh/id_ed25519.pub)

Note that at the time of this writing, there is a PR in sops adding native ssh key support to sops.

Replace the secrets encryption by using the public key of your new key (recipient in age parlance) with the following commands:

$ OLDKEY=$(age-keygen -y ~/.config/sops/age/keys.txt | head -1)
$ NEWKEY=$(age-keygen -y ~/.config/sops/age/keys.txt | tail -1)
$ for f in secrets/secrets.yaml secrets/helm/*; do \
> sops -r -i \
> --add-age $NEWKEY \
> --rm-age $OLDKEY \
> $f ; done
$

PS> $OLDKEY=age-keygen.exe -y $env:APPDATA\sops\age\keys.txt | Select-Object -First 1
PS> $NEWKEY=age-keygen.exe -y $env:APPDATA\sops\age\keys.txt | Select-Object -Last 1
PS> $(ls .\secrets\secrets.yaml;ls .\secrets\helm\*) | `
> % { &sops '-r' '-i' '--add-age' $NEWKEY '--rm-age' $OLDKEY $_.FullName }
PS>

Now change the recipient in the .sops.yaml sops configuration file in order to use the new key for encryption from now on:

$ sed -i -e "s/age: .*/age: $NEWKEY/" .sops.yaml
$

...
PS> $(get-content .\.sops.yaml | % { $_ -replace 'age: .*', "age: $NEWKEY" }) | `
> Set-Content .\.sops.yaml
PS>

At this point, you can delete the sample key on your branch and commit the modifications:

$ rm sample_age_key.txt
$ git add -A
$ git commit -m "🔐 Secrets encryption key modification"

...
PS> Remove-Item sample_age_key.txt
PS> git add -A
PS> git commit -m "🔐 Secrets encryption key modification"

From now on, you should forget the old key and make sure that you keep the new key safe. A good idea is to save it in some kind of secure password manager like gopass.

To remove the old key from the sops well-known location, issue the following command:

>  sed -i -e '1,3 d' ~/.config/sops/age/keys.txt

PS> Get-Content $env:APPDATA\sops\age\keys.txt | Select-Object -Skip 3 `
> | Set-Content $env:APPDATA\sops\age\keys.txt

Test that your environment is correct by decrypting the secrets file:

$ sops -d secrets/secrets.yaml > secrets/secrets.dec.yaml
$

...
PS> sops -d secrets/secrets.yaml > secrets/secrets.dec.yaml
PS>

.gitignore safe

the project .gitignore file contains the *.dec.yaml pattern. Therefore, there is no risk of committing an unencrypted secrets file as long as you keep it named like that.

You can also build the secrets kustomization. It will print out all the unencrypted secrets to the terminal:

$ kustomize build --enable-alpha-plugins --enable-exec secrets
...

...
PS> kustomize build --enable-alpha-plugins --enable-exec secrets
...

Now that you can manage properly secured credentials, move on to the environment adaptation