51 lines
1 KiB
Markdown
51 lines
1 KiB
Markdown
|
||
🔑 2. Generate an age Keypair
|
||
|
||
age-keygen -o secrets/age.key
|
||
|
||
This will output something like:
|
||
|
||
# created: 2025-06-02T22:00:00Z
|
||
# public key: age1abcdefghijk...
|
||
|
||
Copy that public key somewhere — you’ll need it for encrypting.
|
||
|
||
✅ You should now have:
|
||
|
||
secrets/
|
||
├── age.key # keep this safe and private!
|
||
|
||
📝 3. Create Encrypted Secrets File
|
||
|
||
sops --age age1abcdefghijk... secrets/secrets.yaml
|
||
|
||
This opens a YAML file in your $EDITOR. Add secrets like:
|
||
|
||
forgejo-admin-password: "my-super-secret-password"
|
||
|
||
Save and close the file — it’s now encrypted using the public key.
|
||
|
||
✅ Now you should have:
|
||
|
||
secrets/
|
||
├── age.key
|
||
├── secrets.yaml # encrypted file (safe to commit)
|
||
|
||
You can commit secrets.yaml, but do not commit age.key unless you're OK with putting it on a VM.
|
||
|
||
|
||
🧪 Test Decryption Locally
|
||
|
||
export SOPS_AGE_KEY_FILE=secrets/age.key
|
||
|
||
To test:
|
||
|
||
sops -d secrets/secrets.yaml
|
||
|
||
To edit:
|
||
|
||
sops secrets/secrets.yaml
|
||
|
||
|
||
|
||
[plasmagoat@forgejo:~]$ sudo chmod 400 /etc/sops/age.key && sudo chown root:root /etc/sops/age.key
|