From 70bafcb31ff26ad092958be67c102a889bebbea3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 5 Jul 2023 14:32:23 +0200 Subject: [PATCH] re-encrypt state with lassulus keys --- .sops.yaml | 6 ++++++ targets/admins/terraform.tfstate | 6 +++++- targets/web01/terraform.tfstate | 6 +++++- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index b02ef8a..eb04ad5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,12 @@ keys: - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz - &lassulus age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2 +# To generate new admin key, run (requires [age](https://github.com/FiloSottile/age)): +# ``` +# mkdir -p ~/.config/sops/age/ +# age-keygen -o ~/.config/sops/age/keys.txt +# ``` +# Provide the generated key to a pre-existing admin and wait for him to re-encrypt all secrets in this repo with it. After pulling the re-encrypted secrets you can read them with `sops some-file`. creation_rules: - path_regex: targets/.*/terraform.tfstate$ key_groups: diff --git a/targets/admins/terraform.tfstate b/targets/admins/terraform.tfstate index 1822fd1..23aacfc 100644 --- a/targets/admins/terraform.tfstate +++ b/targets/admins/terraform.tfstate @@ -8,7 +8,11 @@ "age": [ { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ1VZejVPbnJnS1dHVW1y\nWWRKMHR3NjB1azVkRCttMytrcmgwaEZxWW5ZCm5MeGN0bFRYajlXSTVMM2haQytC\neUhXbEhwTkVjbGNxYVNHKzZ0NTFPQ0EKLS0tIDlFQzNMbXBUSUMyZ2dtSHJHWGNJ\nbUE4OEhpZDRnWEZqVGVNdEVHekQ5QzQKH7LQ/Ih6GHdqHSt0EtpYbrG+CYwyFIHF\nZ/bcRSvrBYlLs4bh5MxJbxYyUNRGGQjESDuT/bZL8HkicWYjQONu7w==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaYzNBNHRaSmd6d09WZWNE\nL1Bva0NhRDU5YTdWQkw2d2p4bXc5OTh0c3hNCkpQVkt4WVk5TXJZcng3VWdsWUtS\nWHQvQnVWQXYyWGhQUzRIaC83aVU0V1kKLS0tIEFvK25qNGV6djJsSW1rckhpMyt6\nZ09EbjhCZnFDbUxoN1Fta2tJTHpUeUkKUwuOA6OWhze6vwRWJWRl55p8Jp+FZBBk\nFXsCRQeeFe/8OBC9eyNoF8JYvyp9jCuNKZt7jo8c4p5nbcj+b/3KFA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RSthcVFndFhmc0ltaW8x\nSzdIaktEaFFKdWxFcjVCY3pnYllPSUNDMkNnClJsV2JVRDNNUk5Hcm5ieWN5d3dH\nUVB5MVJ2RlRrTnNGTG5XVWpoaXo4SlUKLS0tIERtRDdkUUhNNm9kL3FtdWg2Q1lQ\nZjU2eWNwalRLNW1IUlZVTSthd3lFcVkK9OvZVQ9yK99Xb8EULx3gut5meXWjwO3j\nNHGknvMRL9dCdWJ1sMjHvDvnAyMuYrYaGkqXr8eINbclfccK7NqdIA==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-07-04T15:50:45Z", diff --git a/targets/web01/terraform.tfstate b/targets/web01/terraform.tfstate index 3599157..af6ae4a 100644 --- a/targets/web01/terraform.tfstate +++ b/targets/web01/terraform.tfstate @@ -8,7 +8,11 @@ "age": [ { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2U3NEVhT1NhbjdYTGFu\nNGRob3FDYVhsL2lvb2g1MmdJSGMrSHllN0dvCk51VW9kVldoOTFFcmhYdk1MTy9P\nTEFXNnB0K09FUHM4MjlRL3F0UFlRWG8KLS0tIGVSK3RnQ0FWTWRyYzcrWjhtR3hy\nc1AvRHlBVWQ0cjc0OW1OQ24wTTdqMmMKmyaZiei+OzrUXNeHnhDyk0wiIRNoBv8e\nnDp2m9lxpGhluvU8lUtdwYzwoLuAs/31diMujm9IyEqpeuBRlaHotA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MGZBS2ZrS2RjeXRXNUN0\nUFhFdGNEd3Vxc3JJVmtvUG1Md2hKZDB0VTFrCmk4S0FxZUZScjlybk9RLzBsOUwx\nMVYvTUxoazdha1lYdUhiOERSMzE3dXMKLS0tIHlWcUtRSEZabGd3RkdGbU13Ulhh\nMDRQNGwvRFRLalp5NDdRVjlBbGM1WGMKcP1vquesh8IJfwU02/I7TX3AxfwzM027\nzUmKIsoax+/ScdnG2ftZ4dOm/LicuplGSwUQsXBB8x4Q2PziuWwEeg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM0RneTlsNHJpVmVVa3h2\nLzZBR1pNRnppOEdURXJQWHdVYThDRFFkVmdZCnRzWVpFdFRnMlJ4eStlUTZKVEVU\ndWNWWEltWHc2UzBYQ3ZiM0FwcmdmcTgKLS0tIFRPN3lwNDZFYXJwa0dUS0FPRDVn\nb1JqQk0rZWp0cmdEcGhrcW5PYmxNaTgKGSnlZ+E7QfMln5jNpWgN51kTaLi8oMAV\nMlI3jlZtIOseNiKeMdVDQsn+2ILyqxAUVPwwgTLQxMxttg9u5Zlm7w==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-07-05T10:45:58Z",