Manage Keyrings
Categories:
In this guide, we’ll go over adding and removing Keyrings in a Rot configuration.
Adding Keyrings
After Rot has been initialized, Keyrings can be added using rot keyring-add. This command requires a name for the new keyring and a list of decryptKeys to grant access to the new Keyring. This command performs these actions
- Geenrate private and public keys for the Keyring.
- Encrypt the Keyring Private Key with the Decrypt Public Keys specified and create signatures of the Decrypt Public Key.
Repeating this command can be used to grant additional access to the Keyring. Alternatively, you can run rot key-add-prv to add Decrypt Keys individually to a Keyring, and rot key-del-prv to remove Decrypt Keys from a Keyring.
Encrypted Value Names and Metadata
License Required
This requires an Unlimited LicenseBy default, Value names, modified dates, and metadata are stored in plaintext within a Keyring’s values. This is extremely convenient when using version control to see what has changed, however it does leak details about your secrets.
Keyrings can be configured to encrypt this data, however you’ll need to be able to decrypt the Keyring to view the names and metadata within it. Run rot keyring-set -e <your keyring> && rot keyring-rekey <your keyring> to change an existing Keyring to encrypted, or rot keyring-add -e <new name> to create a new, encrypted Keyring.
Removing Keyrings
Keyrings can be removed by running rot remove-keyring, or editing the configuration and removing the Keyring and all references. Decrypt Keys will be removed from the Keyring as well. Rot will log errors if it discovers Decrypt Keys with access to unknown Keyrings.
Rekeying Keyrings
Periodic rekeying of Rot’s Keyrings is a non-destructive way to reduce the risk of storing your secrets using Rot. This process generates new cryptographic keys for Values and Keyrings, and re-encrypts them using the Decrypt Public Keys. Users can specific new Algorithms for use with this process, allowing easy upgrades to newer cryptography.
Rekey Process
After Rot has been initialized, rekeying can be performed on a per-Keyring basis by running rot keyring-rekey. This command performs these actions:
- Decrypt the existing Keyring Private Key using the Decrypt Private Key.
- Generate a new Keyring Private Key and Keyring Public Key.
- Decrypt each Value and generate a new Value Key
- Encrypt the Value Key using the new Keyring Public Key
- Encrypt the new Keyring Private Key with each Decrypt Public Key and create a signature of the Decrypt Public Key.
- Populate the config with the new keys and values, and save the configuration to
configPath.