If you need to recover or rotate private keys from the live sites.
Edit the relevant sections of travis.yml on the branch you want to work on to this:
env:
global:
- GPG_KEY_B64=$sops_gpg_key
script:
- npm install
- mup setup
- mup deploy
- echo "$GPG_KEY_B64" | base64 --decode > travis-private-key.asc
- gpg --batch --import travis-private-key.asc
- gpg --list-secret-keys
In the Travis build logs you should see the end of one of the private keys, like this:
It should match a public key pgp at sops.yml.
How to Recover and Save the Private Key Locally
Step 1: Decode and Save the Key (on your laptop)
If you’ve now confirmed that sops_gpg_key is the key you need:
On your laptop:
echo "$sops_gpg_key" | base64 --decode > recovered-private-key.asc
Import it:
gpg --import recovered-private-key.asc
Confirm it’s imported:
gpg --list-secret-keys
You should see:
sec rsa4096/XXXX... 2023-...
Key fingerprint = AC7E7C66AC708F04578DD0E293C281E756221F06
Rotating to new GPG keypairs.
-
Update .sops.yaml with new public key(s).
-
Re-encrypt secrets with:
sops -r -i path/to/secrets.yaml