Verified Commit fdaaa954 authored by Giancarlo Razzolini's avatar Giancarlo Razzolini
Browse files

README: Add note about GPG keys and instructions for re-encrypt vault and fetch borg keys

Added information regarding the need to have all GPG keys present on the local keyring for
being able to re-encrypt the vault and/or fetch the borg keys for local storage. Also added
instructions for running both the reencrypt-vault-key and fetch-borg-keys playbooks.
parent 64d7d49a
......@@ -24,6 +24,12 @@ When adding a new machine you should also deploy our SSH known_hosts file and up
For this you can simply run the `playbooks/tasks/sync-ssh-hostkeys.yml` playbook and commit the changes it makes to this git repository.
It will also deploy any new SSH host keys to all our machines.
#### Note about GPG keys
The root_access.yml file contains the root_gpgkeys variable that determine the users that have access to the vault, as well as the borg backup keys.
All the keys should be on the local user gpg keyring and at *minimum* be locally signed with --lsign-key. This is necessary for running either the reencrypt-vault-key
or the fetch-bork-keys tasks.
#### Note about Ansible dynamic inventories
We use a dynamic inventory script in order to automatically get information for
......@@ -188,3 +194,15 @@ The following steps should be used to update our managed servers:
- Change the key in misc/vault-password.gpg
- `rm new-vault-pw`
### Re-encrypting the vault after adding or removing a new GPG key
- Make sure you have all the GPG keys *at least* locally signed
- Run the playbooks/tasks/reencrypt-vault-key.yml playbook and make sure it does not have *any* failed task
- Test that the vault is working by running ansible-vault view on any encrypted vault file
- Commit and push your changes
### Fetching the borg keys for local storage
- Make sure you have all the GPG keys *at least* locally signed
- Run the playbooks/tasks/fetch-borg-keys.yml playbook
- Make sure the playbook runs successfully and check the keys under the borg-keys directory
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment