+++
title = "Secrets"
categories = [ "services", "sops" ]
+++

## Secret management

We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
derived from ssh keys.

For the initial set up, please take a look at the sops-nix Readme file.

To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.

To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
the new set of keys.