Recovering or rotating private keys

Web Dev - Documentation Backend and Operations - Documentation
, , ,
1

If you need to recover or rotate private keys from the live sites.

Edit the relevant sections of travis.yml on the branch you want to work on to this:

env:
  global:
    - GPG_KEY_B64=$sops_gpg_key

script:
  - npm install
  - mup setup
  - mup deploy
  - echo "$GPG_KEY_B64" | base64 --decode > travis-private-key.asc
  - gpg --batch --import travis-private-key.asc
  - gpg --list-secret-keys

In the Travis build logs you should see the end of one of the private keys, like this:

image
image1039×235 22.4 KB

It should match a public key pgp at sops.yml.

How to Recover and Save the Private Key Locally

Step 1: Decode and Save the Key (on your laptop)

If you’ve now confirmed that sops_gpg_key is the key you need:

On your laptop:

echo "$sops_gpg_key" | base64 --decode > recovered-private-key.asc

Import it:

gpg --import recovered-private-key.asc

Confirm it’s imported:

gpg --list-secret-keys

You should see:

sec   rsa4096/XXXX... 2023-...
      Key fingerprint = AC7E7C66AC708F04578DD0E293C281E756221F06

Rotating to new GPG keypairs.

  1. Update .sops.yaml with new public key(s).

  2. Re-encrypt secrets with:

sops -r -i path/to/secrets.yaml