Rotate offsite backup GPG keys
To encrypt our offsite backups, we use GPG keys which are valid for a year. For good security practice we rotate these keys each year.
Generate a new key
When creating a new key it is important you reuse the existing
passphrase as otherwise the incremental backup will fail as
historical data is unable to be access/unencrypted previous diffs.
- Pull the govuk-secrets repo.
gpg2 --batch --gen-key gpg_templates/offsite_backup_gpg_template.txt
- Ensure you make a copy of the password you use.
- Get the key ID you just generated with
gpg2 --list-keys --fingerprint, and make a copy of the full fingerprint ID.
- Export secret key: Copy the output of
gpg2 --export-secret-key --armor <key id>
- Export public key: Copy the output of
gpg2 --export --armor <key id>to a public key server, for instance https://pgp.mit.edu/
NB: Steps 6 & 7 use different commands for exporting.
What do I need to update?
The following files need to be updated with the new key details:
Update the govuk-puppet hieradata, updating the
_: &offsite_gpg_keykey with the new fingerprint value.
Update the encrypted govuk-secrets repo hieradata, updating both
backup::assets::backup_private_gpg_key_passphrasewith the relevant values.