Manage Keyrings

How to manage Keyrings using Rot

In this guide, we’ll go over adding and removing Keyrings in a Rot configuration.

Adding Keyrings

After Rot has been initialized, Keyrings can be added using rot keyring-add. This command requires a name for the new keyring and a list of decryptKeys to grant access to the new Keyring. This command performs these actions

  • Geenrate private and public keys for the Keyring.
  • Encrypt the Keyring Private Key with the Decrypt Public Keys specified and create signatures of the Decrypt Public Key.

Repeating this command can be used to grant additional access to the Keyring. Alternatively, you can run rot key-add-prv to add Decrypt Keys individually to a Keyring, and rot key-del-prv to remove Decrypt Keys from a Keyring.

Encrypted Value Names and Metadata

By default, Value names, modified dates, and metadata are stored in plaintext within a Keyring’s values. This is extremely convenient when using version control to see what has changed, however it does leak details about your secrets.

Keyrings can be configured to encrypt this data, however you’ll need to be able to decrypt the Keyring to view the names and metadata within it. Run rot keyring-set -e <your keyring> && rot keyring-rekey <your keyring> to change an existing Keyring to encrypted, or rot keyring-add -e <new name> to create a new, encrypted Keyring.

Removing Keyrings

Keyrings can be removed by running rot remove-keyring, or editing the configuration and removing the Keyring and all references. Decrypt Keys will be removed from the Keyring as well. Rot will log errors if it discovers Decrypt Keys with access to unknown Keyrings.

Rekeying Keyrings

Periodic rekeying of Rot’s Keyrings is a non-destructive way to reduce the risk of storing your secrets using Rot. This process generates new cryptographic keys for Values and Keyrings, and re-encrypts them using the Decrypt Public Keys. Users can specific new Algorithms for use with this process, allowing easy upgrades to newer cryptography.

Rekey Process

After Rot has been initialized, rekeying can be performed on a per-Keyring basis by running rot keyring-rekey. This command performs these actions: