2.0 KiB
2.0 KiB
ADR 006 - Secrets
Date
- Feb/23/2026
- First documentation
Status
- Accepted
Context
- Secret values must not uploaded anywhere as plain values.
- Manage secret values as Git without its real values.
Considerations
External KMS
- HashiCorp Vault or Infisical
- Very powerful, but introduces significant compute/memory overhead.
- Creates a "Secret Zero" problem for a single-node homelab environment because of dependency (DB, or etc).
- It is hard to operate hardware separated key servers.
Systemd-credential
- VM environment is hard to apply TPM for systemd-credential
- It is hard to guarantee the idempotency of TPM in virtual environment.
Ansible vault only
- Ansible vault is powerful options but they are not convenient.
- It is necessary to encrypt separately outside of host_vars or group_vars' file.
- It is hard to add or modify secret values in inventory file.
Decisions
- All secret data which has yaml format is encrypted by sops with age-key in
secret.yaml. - age-key is encrypted by gpg and ansible vault with master key (including upper, lower case, number, special letters) above 40 characters.
- All secret data always decrypt by
edit_secret.shscript or ansible tasks from secrets.yaml using age-key encrypted by ansible-vault. - decrypted secret data is always processed on ramfs, they are never saved on disk.
- All secret data always decrypt by
- Master key is never saved on disk, but only cold storage (USB, M-DISC, operators' memory)
- The secret data will be saved on each servers specific directory or podman secret.
- OS:
- path: /etc/secrets owner: root:root mode: 0711
- path: /etc/secrets/$UID owner: $UID:root mode: 0500
- Containers:
- podman secret: path: /run/secret/$SECRET_NAME
- These data are never backed up by kopia, or uploaded to git.
- OS:
Consequences
- Secret values are not located as a plain text in everywhere except where they are needed.
- It is possible to manage encrypted secret data with Git.