Secrets
We use sops-nix to manage secrets that
are not files. For the most part this will be SSH keys, API keys, and other
plaintext secrets.
To start, identify whether you are creating a system-level secret or a user-level secret.
User secrets
Section titled “User secrets”If you are adding a user-level secret, add your user to the list of users in
the .sops.yaml file. Then get your public key by running:
cat ~/.ssh/id_ed25519.pubThen create your user’s secrets file:
sops secrets/your_username.yamlWhere your_username is your actual username.
System secrets
Section titled “System secrets”If you are adding system-level secrets, get the hostname and its accompanying public key. To get the public key, run:
ssh-keyscan <host>Where <host> is the IP address or hostname of the system you want to add.
Alternatively, if you are on the machine you can run:
cat /etc/ssh/ssh_host_ed25519_key.pubThen create the system secrets file:
sops secrets/services/<service>.yamlReplace <service> with the name of the service you are adding the secrets for.
Rotating secrets
Section titled “Rotating secrets”To rotate a secret file, run:
sops rotate -i secrets/<file>.yamlWhere <file> is the name of the file you want to rotate.
To rotate all the secrets, run:
find secrets/ -name "*.yaml" | xargs -I {} sops rotate -i {}Adding new owners to secrets
Section titled “Adding new owners to secrets”To add a new owner to a secret file, you must first add the new recipient to
the .sops.yaml file. Then run:
sops updatekeys secrets/<file>.yamlWhere <file> is the name of the file you want to update.
To batch update all secrets, run:
find secrets/ -name "*.yaml" | xargs -I {} sops updatekeys -y {}