#+TITLE: Secrets

* secrets
** system
Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following:
- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient
- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient
- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it

These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself.

When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage.
*** add a new secret
#+begin_src sh
nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age
#+end_src
*** re-key secrets
#+begin_src sh
nix run github:ryantm/agenix -- -i ~/.age/key.txt -r
#+end_src
** home-manager
Nothing for now.
** passage
I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device.
* misc
** GPG
nop nop nop nop nop
** keyring
I don't need one anymore.