Table of contents
This page was set to be reviewed before 2017-06-25 by the page owner: #govuk-infrastructure. This might mean the content is out of date. Read how to review a page

Rotate offsite backup GPG keys

This page was imported from the opsmanual on GitHub Enterprise. It hasn’t been reviewed for accuracy yet. View history in old opsmanual

To encrypt our offsite backups, we use GPG keys which are valid for a year. For good security practice we rotate these keys each year.

Generate a new key

  1. Pull the govuk-secrets repo.
  2. cd deployment/puppet
  3. gpg2 --batch --gen-key gpg_templates/offsite_backup_gpg_template.txt
  4. Ensure you make a copy of the password you use.
  5. Get the key ID you just generated with gpg2 --list-keys --fingerprint, and make a copy of the full fingerprint ID.
  6. Copy the output of gpg2 --export-secret-key --armor <key id>

What do I need to update?

The following files need to be updated with the new key details:

Update the govuk-puppet hieradata, updating the _: &offsite_gpg_key key with the new fingerprint value

Update the encrypted govuk-secrets repo hieradata, updating both backup::assets::backup_private_gpg_key and backup_private_gpg_key_passphrase with the relavant values.

This page is owned by #govuk-infrastructure and needs to be reviewed