From 910655adfb0cbecb0828c08c704cedae951d8913 Mon Sep 17 00:00:00 2001
From: Stefan Bethke <stb@lassitu.de>
Date: Wed, 18 Feb 2026 09:34:27 +0100
Subject: [PATCH] Explain how to update GPG keys

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index dff670a..741eeb3 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,13 @@ A local Ansible run then uses the locally available GPG-key to decrypt the secre
 
 For a tutorial on how to set up secrets using SOPS for a new host, see [Setting Up Secrets Using SOPS for a New Host](./docs/setting_up_secrets_using_sops_for_a_new_host.md).
 
+### Updating SOPS files after swapping out a GPG key
+
+When a GPG key expires, it is necessary to update the config in `.sops.yaml` and then re-encrypt all files with the updated list of keys. Run this command. The will take a considerable amount of time (minutes).
+```
+find inventories -name "*.sops.*" | xargs sops updatekeys --yes
+```
+
 ## Playbook nur für einzelne Hosts ausführen
 
 Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg: