haccfiles documentation

Secrets

Secret management

We use sops-nix to manage secrets which we'd like to have in Git but don't want to be public. Entries in secrets.yaml are encrypted for each of the age keys listed in .sops.yaml, which are themselves derived from ssh keys.

For the initial set up, please take a look at the sops-nix Readme file.

To edit the secrets file, run sops secrets.yaml, which will decrypt the file & open it in your $EDITOR, then re-encrypt it when you're done.

To add a new key, use ssh-to-age to convert your ssh key to age, and add it to sops.yaml. Then do sops updatekeys secrets.yaml to re-encrypt the file for the new set of keys.