README: Add note about GPG keys and instructions for re-encrypt vault and fetch borg keys

Added information regarding the need to have all GPG keys present on the local keyring for
being able to re-encrypt the vault and/or fetch the borg keys for local storage. Also added
instructions for running both the reencrypt-vault-key and fetch-borg-keys playbooks.

README.md

@@ -24,6 +24,12 @@ When adding a new machine you should also deploy our SSH known_hosts file and up
 For this you can simply run the `playbooks/tasks/sync-ssh-hostkeys.yml` playbook and commit the changes it makes to this git repository.
 It will also deploy any new SSH host keys to all our machines.
 
+#### Note about GPG keys
+
+The root_access.yml file contains the root_gpgkeys variable that determine the users that have access to the vault, as well as the borg backup keys.
+All the keys should be on the local user gpg keyring and at *minimum* be locally signed with --lsign-key. This is necessary for running either the reencrypt-vault-key
+or the fetch-bork-keys tasks.
+
 #### Note about Ansible dynamic inventories
 
 We use a dynamic inventory script in order to automatically get information for
@@ -188,3 +194,15 @@ The following steps should be used to update our managed servers:
   - Change the key in misc/vault-password.gpg
   - `rm new-vault-pw`
 
+### Re-encrypting the vault after adding or removing a new GPG key
+
+  - Make sure you have all the GPG keys *at least* locally signed
+  - Run the playbooks/tasks/reencrypt-vault-key.yml playbook and make sure it does not have *any* failed task
+  - Test that the vault is working by running ansible-vault view on any encrypted vault file
+  - Commit and push your changes
+
+### Fetching the borg keys for local storage
+
+  - Make sure you have all the GPG keys *at least* locally signed
+  - Run the playbooks/tasks/fetch-borg-keys.yml playbook
+  - Make sure the playbook runs successfully and check the keys under the borg-keys directory