rotate-secrets: document offline vault break-glass for ubongo

This commit is contained in:
sjat 2026-06-05 09:45:27 +02:00
parent b89ca8835a
commit a2db8058e7

View file

@ -30,6 +30,27 @@ clear "run: rbw unlock" error rather than a hang.
--- ---
## Break-glass — vault access during a full cluster outage
The control node `ubongo` (ADR-015) is the tool used to rebuild the cluster, so it
must be able to decrypt the vault even when Vaultwarden (if hosted on the cluster)
is down. `rbw` keeps a **local encrypted copy** of the Vaultwarden vault and decrypts
it **offline** with your Vaultwarden master password — no live server needed for
entries it has already synced. The recovery design therefore requires:
- `rbw` on `ubongo` (and on `mamba`, the break-glass laptop) has **synced at least
once** while Vaultwarden was reachable (`rbw sync`).
- Your **Vaultwarden master password** is kept **offline** — in a password manager on
`mamba` and on paper in a safe — independent of any cluster-hosted Vaultwarden.
There is always exactly one irreducible offline root secret; here it is the
Vaultwarden master password. Keep it recoverable without the cluster.
> **To verify (ADR-014, security-relevant):** confirm `rbw` actually decrypts its
> local cache fully offline on your pinned `rbw` version before relying on this.
---
## Rotating a single secret value ## Rotating a single secret value
1. Ensure the agent is unlocked: `rbw unlock` 1. Ensure the agent is unlocked: `rbw unlock`