40 lines
994 B
Markdown
40 lines
994 B
Markdown
# Keys Directory
|
|
|
|
This directory contains GPG/age public keys for sops encryption.
|
|
|
|
## Structure
|
|
|
|
- `hosts/` - Host-specific public keys (for servers to decrypt their own secrets)
|
|
- `users/` - User/admin public keys (for team members to decrypt secrets)
|
|
|
|
## Adding Keys
|
|
|
|
### GPG Keys
|
|
|
|
Export your GPG public key:
|
|
```bash
|
|
gpg --export --armor YOUR_KEY_ID > keys/users/yourname.asc
|
|
```
|
|
|
|
Export a host's public key:
|
|
```bash
|
|
gpg --export --armor HOST_KEY_ID > keys/hosts/hostname.asc
|
|
```
|
|
|
|
### Age Keys
|
|
|
|
For age keys, save the public key to a file:
|
|
```bash
|
|
echo "age1..." > keys/users/yourname.age
|
|
echo "age1..." > keys/hosts/hostname.age
|
|
```
|
|
|
|
## Usage
|
|
|
|
When you enter the dev shell (`nix develop`), all keys in these directories will be automatically imported into your GPG keyring via the sops-import-keys-hook.
|
|
|
|
## Important
|
|
|
|
- Only commit **public** keys (.asc, .age files with public keys)
|
|
- Never commit private keys
|
|
- Update `.sops.yaml` to reference the fingerprints/keys for access control
|