Rotating secrets

How to systematically rotate all secrets

This page has an internal companion page which might contain additional information.

Problem

You want to renew all secrets across the whole CKI project, e.g. when a project member is leaving.

Rotating master keys

credentials repo

In the credentials repository, perform the following steps:

Check the git commits for the key IDs of the collaborators:
```
git log
```
Make sure to import all their public GPG keys into your keyring. Those can be found on GitLab via https://gitlab.com/username.gpg.
Call git-crypt-rm-gpg-user.sh with the key ID to remove to re-encrypt the repository.
Check that the key actually got removed and remove it if necessary via
```
git log
git rebase -i origin/HEAD
```
Commit the changes via a new merge request.

deployment-all

Create a new ENVPASSWORD and re-encrypt all secrets via

export NEW_ENVPASSWORD=$(diceware)
for key in $(shyaml keys < secrets.yml); do
  ENVPASSWORD=$NEW_ENVPASSWORD ./edit_secret.sh "$key" "$(cki_secret "$key")"
done

Change the ENVPASSWORD variable in the CI/CD settings of deployment-all to the new value.
Commit the changes via a new merge request.
Document the new ENVPASSWORD in the credentials repository.