Explain how to update GPG keys

2026-02-18 09:34:27 +01:00 · 2026-02-18 09:34:27 +01:00 · 910655adfb
commit 910655adfb
parent 5f31392a27
1 changed files with 7 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -29,6 +29,13 @@ A local Ansible run then uses the locally available GPG-key to decrypt the secre

 For a tutorial on how to set up secrets using SOPS for a new host, see [Setting Up Secrets Using SOPS for a New Host](./docs/setting_up_secrets_using_sops_for_a_new_host.md).

+### Updating SOPS files after swapping out a GPG key
+
+When a GPG key expires, it is necessary to update the config in `.sops.yaml` and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes).
+```
+find inventories -name "*.sops.*" | xargs sops updatekeys --yes
+```
+
 ## Playbook nur für einzelne Hosts ausführen

 Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg: