---
title: "SOPS: GPG-Key Replacement"
summary: How to Replace an Expired GPG-Key
---

# SOPS: GPG-Key Replacement

- When a GPG key expires, it is necessary to update the config in the [`.sops.yaml`](https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/branch/main/.sops.yaml) and then re-encrypt all files with the updated list of keys.
    - If no new key is available, simply remove the key and re-encrypt all files to keep the repository in a working state. Whenever the relevant member provides a new key, add it again and re-encrypt for it again.
- The re-encryption can be achieved by running the following command (which could take a considerable amount of time):
  ```bash
  find inventories -name "*.sops.*" | xargs sops updatekeys --yes
  ```