rotate-secrets: document offline vault break-glass for ubongo
This commit is contained in:
parent
b89ca8835a
commit
a2db8058e7
1 changed files with 21 additions and 0 deletions
|
|
@ -30,6 +30,27 @@ clear "run: rbw unlock" error rather than a hang.
|
|||
|
||||
---
|
||||
|
||||
## Break-glass — vault access during a full cluster outage
|
||||
|
||||
The control node `ubongo` (ADR-015) is the tool used to rebuild the cluster, so it
|
||||
must be able to decrypt the vault even when Vaultwarden (if hosted on the cluster)
|
||||
is down. `rbw` keeps a **local encrypted copy** of the Vaultwarden vault and decrypts
|
||||
it **offline** with your Vaultwarden master password — no live server needed for
|
||||
entries it has already synced. The recovery design therefore requires:
|
||||
|
||||
- `rbw` on `ubongo` (and on `mamba`, the break-glass laptop) has **synced at least
|
||||
once** while Vaultwarden was reachable (`rbw sync`).
|
||||
- Your **Vaultwarden master password** is kept **offline** — in a password manager on
|
||||
`mamba` and on paper in a safe — independent of any cluster-hosted Vaultwarden.
|
||||
|
||||
There is always exactly one irreducible offline root secret; here it is the
|
||||
Vaultwarden master password. Keep it recoverable without the cluster.
|
||||
|
||||
> **To verify (ADR-014, security-relevant):** confirm `rbw` actually decrypts its
|
||||
> local cache fully offline on your pinned `rbw` version before relying on this.
|
||||
|
||||
---
|
||||
|
||||
## Rotating a single secret value
|
||||
|
||||
1. Ensure the agent is unlocked: `rbw unlock`
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue