Workspace Initialization¶

PGP fingerprint¶

You are required to provide at least one PGP fingerprint when initializing the workspace in order to encrypt your secrets.

Most likely this key will be provided by your system administrator. In the event this is not the case, you can easily generate a new pgp key using:

1

$ gpg --full-generate-key

You can then retrieve the pgp fingerprint which is a 40 hexadecimal string ( e.g.: 0123456789ABCDEF0123456789ABCDEF01234567).

1

$ gpg --list-keys -a mail@leitwert.ch

To export keys to a file, you can use the following commands:

1
2
3
4
5

$ mkdir workspace
$ cd workspace/
$ mkdir keys
$ gpg --export -a "mail@leitwert.ch" > keys/mail@leitwert.ch.pgp.pub
$ gpg --export-secret-keys -a "mail@leitwert.ch" > keys/mail@leitwert.ch.pgp

For more information:

1. Have a look at the Quick'n easy gpg cheatsheet to get started.
2. Or consult the official gnupg documentation

Initialization¶

Finally, initialize your workspace using the cli:

1
2
3
4
5
6

# make sure you are in your workspace directory
$ dhops init
Would you like to enter a PGP fingerprint? [Y/n]: y
Enter PGP Fingerprint: 0123456789ABCDEF0123456789ABCDEF01234567
Would you like to enter a PGP fingerprint? [Y/n]: n
Workspace initialized

Two files, .sops.yaml and dhops.yaml will be created in the workspace folder after the initialization. You can add or modify those fingerprints at anytime inside .sops.yaml created by the initialization.

Find out more about this .sops.yaml inside sops official documentation

Workspace¶

At the end of this tutorial, your workspace should have the following tree structure:

1
2
3
4
5
6
7

.
├── keys
│   ├── webteam@leitwert.ch.pgp
│   ├── webteam@leitwert.ch.pgp.pub
│   ├── username@name.node.leitwert.ch.rsa
│   └── username@name.node.leitwert.ch.rsa.pub
└── dhops.yaml

Git¶

If you are using Git for version control, we recommend adding the following to .gitignore:

1
2

keys/
.output/