From 05fbd7183c115099680b69bae327d81fdcedb036 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Sun, 23 Feb 2025 11:42:19 +0100
Subject: [PATCH] update documentation regarding ccchh-pass age key

---
 README.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e059629..db00a4d 100644
--- a/README.md
+++ b/README.md
@@ -24,11 +24,23 @@ Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/
 
 This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
 
+### Using CCCHH Password-Store Key
+
+For convenience, a sops key has been added to the [CCCHH Password-Store](https://git.hamburg.ccc.de/CCCHH/password-store) which is able to encrypt all secrets of this repository.
+Sops can be told to use it like this:
+
+```bash
+export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)
+```
+
+If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.
+
 ### Passwords
 
 All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
 It should contain all relevant passwords, a NOC admin needs.
 
+
 #### Accessing Passwords
 
 ```bash
@@ -48,10 +60,12 @@ I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and
 
 Adding a new age key works like this:
 
-1. `vim .sops.yaml` and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
+1. Run `age-keygen -o ~/.config/sops/age/keys.txt` and copy the public key from the generated file.
+2. Edit [.sops.yaml](./.sops.yaml) and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
    Look at the existing file content and you'll figure it out.
-2. `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
 3. Commit and push changes.
+4. Ask someone with existing access to run `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
+   They should, of course, also commit and push the changes.
 
 ### Machine-Secrets