Recovering or rotating private keys

If you need to recover or rotate private keys from the live sites.

Edit the relevant sections of travis.yml on the branch you want to work on to this:

env:
  global:
    - GPG_KEY_B64=$sops_gpg_key

script:
  - npm install
  - mup setup
  - mup deploy
  - echo "$GPG_KEY_B64" | base64 --decode > travis-private-key.asc
  - gpg --batch --import travis-private-key.asc
  - gpg --list-secret-keys

In the Travis build logs you should see the end of one of the private keys, like this:

It should match a public key pgp at sops.yml.

How to Recover and Save the Private Key Locally

Step 1: Decode and Save the Key (on your laptop)

If you’ve now confirmed that sops_gpg_key is the key you need:

On your laptop:

echo "$sops_gpg_key" | base64 --decode > recovered-private-key.asc

Import it:

gpg --import recovered-private-key.asc

Confirm it’s imported:

gpg --list-secret-keys

You should see:

sec   rsa4096/XXXX... 2023-...
      Key fingerprint = AC7E7C66AC708F04578DD0E293C281E756221F06

Rotating to new GPG keypairs.

  1. Update .sops.yaml with new public key(s).

  2. Re-encrypt secrets with:

sops -r -i path/to/secrets.yaml