infrastructure/docs/vault-rekeying.md

# Vault rekeying

## Changing the default vault password

```bash
# Generate a new password for the default vault
pwgen -s 64 >new-default-pw

# Re-encrypt all default vaults
ansible-vault rekey --new-vault-password-file ./new-default-pw \
  $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')

# Save the new password in encrypted form
# (replace "RECIPIENT" with your email)
gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw

# Re-encrypt the new password with all DevOps keys
ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml

# Ensure the new password is usable
ansible-vault view misc/vaults/vault_hcloud.yml

# Remove the unencrypted password file
rm new-default-pw

# Review and commit the changes
```

## Changing the super vault password

```bash
# Generate a new password for the super vault
pwgen -s 64 >new-super-pw

# Re-encrypt all super vaults
ansible-vault rekey --new-vault-id super@./new-super-pw \
  $(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')

# Save the new password in encrypted form
# (replace "RECIPIENT" with your email)
gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw

# Re-encrypt the new password with all DevOps super keys
ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml

# Ensure the new password is usable
ansible-vault view misc/vaults/vault_hetzner.yml

# Remove the unencrypted password file
rm new-super-pw

# Review and commit the changes
```
Move highly sensitive secrets to new "super" vault The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's. 2022-05-01 14:26:32 +02:00			`# Vault rekeying`

			`## Changing the default vault password`

			```bash
			`# Generate a new password for the default vault`
			`pwgen -s 64 >new-default-pw`

			`# Re-encrypt all default vaults`
			`ansible-vault rekey --new-vault-password-file ./new-default-pw \`
			`$(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')`

			`# Save the new password in encrypted form`
			`# (replace "RECIPIENT" with your email)`
			`gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw`

			`# Re-encrypt the new password with all DevOps keys`
			`ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml`

			`# Ensure the new password is usable`
			`ansible-vault view misc/vaults/vault_hcloud.yml`

			`# Remove the unencrypted password file`
			`rm new-default-pw`

			`# Review and commit the changes`
			```

			`## Changing the super vault password`

			```bash
			`# Generate a new password for the super vault`
			`pwgen -s 64 >new-super-pw`

			`# Re-encrypt all super vaults`
			`ansible-vault rekey --new-vault-id super@./new-super-pw \`
			`$(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')`

			`# Save the new password in encrypted form`
			`# (replace "RECIPIENT" with your email)`
			`gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw`

			`# Re-encrypt the new password with all DevOps super keys`
			`ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml`

			`# Ensure the new password is usable`
			`ansible-vault view misc/vaults/vault_hetzner.yml`

			`# Remove the unencrypted password file`
			`rm new-super-pw`

			`# Review and commit the changes`
			```