mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-07 04:24:10 +01:00
b4d60ae2f6
The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.
54 lines
1.4 KiB
Markdown
54 lines
1.4 KiB
Markdown
# Vault rekeying
|
|
|
|
## Changing the default vault password
|
|
|
|
```bash
|
|
# Generate a new password for the default vault
|
|
pwgen -s 64 >new-default-pw
|
|
|
|
# Re-encrypt all default vaults
|
|
ansible-vault rekey --new-vault-password-file ./new-default-pw \
|
|
$(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
|
|
|
|
# Save the new password in encrypted form
|
|
# (replace "RECIPIENT" with your email)
|
|
gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw
|
|
|
|
# Re-encrypt the new password with all DevOps keys
|
|
ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml
|
|
|
|
# Ensure the new password is usable
|
|
ansible-vault view misc/vaults/vault_hcloud.yml
|
|
|
|
# Remove the unencrypted password file
|
|
rm new-default-pw
|
|
|
|
# Review and commit the changes
|
|
```
|
|
|
|
## Changing the super vault password
|
|
|
|
```bash
|
|
# Generate a new password for the super vault
|
|
pwgen -s 64 >new-super-pw
|
|
|
|
# Re-encrypt all super vaults
|
|
ansible-vault rekey --new-vault-id super@./new-super-pw \
|
|
$(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')
|
|
|
|
# Save the new password in encrypted form
|
|
# (replace "RECIPIENT" with your email)
|
|
gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw
|
|
|
|
# Re-encrypt the new password with all DevOps super keys
|
|
ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml
|
|
|
|
# Ensure the new password is usable
|
|
ansible-vault view misc/vaults/vault_hetzner.yml
|
|
|
|
# Remove the unencrypted password file
|
|
rm new-super-pw
|
|
|
|
# Review and commit the changes
|
|
```
|