From 59440d99af9f0ef3124bd11b9d7c9d3384f57226 Mon Sep 17 00:00:00 2001 From: Carsten Skov Date: Sat, 23 Sep 2023 08:23:51 +0200 Subject: [PATCH] Added example of having age recipients in .sops.yaml Fixed formatting for example of multiple age keys in .sops.yaml Added example of using updatekeys with age Apply suggestions from code review Apply suggestions from code review Co-authored-by: Felix Fontein Signed-off-by: Carsten Skov --- README.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.rst b/README.rst index e8406032b..fb0f52959 100644 --- a/README.rst +++ b/README.rst @@ -218,7 +218,28 @@ identity will be tried in sequence until one is able to decrypt the data. Encrypting with SSH keys via age is not yet supported by SOPS. +A list of age recipients can be added to the ``.sops.yaml``: +.. code:: yaml + + creation_rules: + - age: >- + age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c, + age1qe5lxzzeppw5k79vxn3872272sgy224g2nzqlzy3uljs84say3yqgvd0sw + +It is also possible to use ``updatekeys``, when adding or removing age recipients. For example: + +.. code:: sh + + $ sops updatekeys secret.enc.yaml + 2022/02/09 16:32:02 Syncing keys for file /iac/solution1/secret.enc.yaml + The following changes will be made to the file's groups: + Group 1 + age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c + +++ age1qe5lxzzeppw5k79vxn3872272sgy224g2nzqlzy3uljs84say3yqgvd0sw + Is this okay? (y/n):y + 2022/02/09 16:32:04 File /iac/solution1/secret.enc.yaml synced with new keys + Encrypting using GCP KMS ~~~~~~~~~~~~~~~~~~~~~~~~ GCP KMS uses `Application Default Credentials