Rotating secrets

How to systematically rotate all secrets


You want to renew all secrets across the whole CKI project, e.g. when a project member is leaving.

Rotating master keys

credentials repo

In the credentials repository, perform the following steps:

  1. Check the git commits for the key IDs of the collaborators:

    git log
  2. Make sure to import all their public GPG keys into your keyring. Those can be found on GitLab via

  3. Call with the key ID to remove to re-encrypt the repository.

  4. Check that the key actually got removed and remove it if necessary via

    git log
    git rebase -i origin/HEAD
  5. Commit the changes via a new merge request.


  1. Create a new ENVPASSWORD and re-encrypt all secrets via

    export NEW_ENVPASSWORD=$(diceware)
    for key in $(shyaml keys < secrets.yml); do
      ENVPASSWORD=$NEW_ENVPASSWORD ./ "$key" "$(cki_secret "$key")"
  2. Change the ENVPASSWORD variable in the CI/CD settings of deployment-all to the new value.

  3. Commit the changes via a new merge request.

  4. Document the new ENVPASSWORD in the credentials repository.