Secrets
Secret management
We use sops-nix to manage secrets which we'd
like to have in Git but don't want to be public. Entries in secrets.yaml
are
encrypted for each of the age keys listed in .sops.yaml
, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, run sops secrets.yaml
, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use ssh-to-age
to convert your ssh key to age, and add it to
sops.yaml
. Then do sops updatekeys secrets.yaml
to re-encrypt the file for
the new set of keys.