boma/docs/runbooks/rotate-secrets.md

72 lines
1.8 KiB
Markdown
Raw Normal View History

# Runbook — Rotating vault secrets
## Rotating a single secret value
1. Decrypt the relevant vault file:
```bash
make decrypt FILE=inventories/production/group_vars/all/vault.yml
```
2. Edit the file and update the secret value.
3. Re-encrypt:
```bash
make encrypt FILE=inventories/production/group_vars/all/vault.yml
```
4. Commit the updated vault file:
```bash
git add inventories/production/group_vars/all/vault.yml
git commit -m "Rotate <secret name>"
```
5. Deploy to apply the new secret to hosts:
```bash
make check PLAYBOOK=site # verify what will change
make deploy PLAYBOOK=site
```
---
## Rotating the vault password
This affects all encrypted files in the repo. Do this only when:
- A person with vault access leaves the project
- The password is suspected to be compromised
Steps:
1. Ensure you have the current vault password in `.vault_pass`.
2. Re-key all vault files:
```bash
find . -name "vault.yml" | xargs ansible-vault rekey \
--vault-password-file .vault_pass \
--new-vault-password-file /path/to/new_password_file
```
3. Replace `.vault_pass` with the new password file.
4. Distribute the new password to all collaborators via a secure channel.
5. Commit all rekeyed vault files:
```bash
git add -A
git commit -m "Rekey all vault files"
```
---
## Adding a new collaborator
1. Share the vault password via a secure channel (password manager, etc.)
2. The collaborator creates `.vault_pass` locally (gitignored)
3. They can now decrypt/encrypt vault files normally
## Removing a collaborator's access
Rotate the vault password as described above. There is no per-user access
control in Ansible Vault — access is binary (has the password or not).
If per-user access control becomes necessary, evaluate SOPS + age at that point.