Secrets Management¶
To use our team's shared Discord bot token, you will need to retrieve it from the .env.lock
file in the project
root directory. This section will guide you through the process of decrypting the file to access the token.
Install Tools¶
First, you will need to install age
and SOPS
on your system. Follow the instructions for your operating system below.
Open a PowerShell terminal and run the following command to install SOPS
:
winget install -e --id Mozilla.SOPS
To install age
, download the latest binary for Windows and
add your age
binary to the system PATH
.
Open a terminal and run the following command:
brew install age sops
Download the SOPS
binary for your platform. For instance, if
you are on an amd64 architecture:
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
Move the binary into your PATH
:
mv sops-v3.9.0.linux.amd64 /usr/local/bin/sops
Make the binary executable:
chmod +x /usr/local/bin/sops
Finally, install age
:
sudo apt-get install -y age
If you are using the development container, the tools are already installed! 🎉
Generate Keys¶
Using the development container
The development container automatically generates a key pair for you on initial setup. You public key will
be shown in the terminal output. You can also find it later in the secrets/keys.txt
file.
Next, you will need to generate a new key pair using age
. Run the following command from the root directory of
the project:
age-keygen -o > secrets/keys.txt
This will create a new key pair and save it to the secrets/keys.txt
file. Share your public key with the team
so it can be registered.
Security Warning
Only your public key can be safely shared. Do not share the private key with anyone!
Where can I find my public key?
You can find your public key in the secrets/keys.txt
file or in the terminal output after generating the
key pair.
Registering a new Public Key¶
Prerequisite
This step needs to be performed by a team member who already has access to the .env
file.
To register a new public key, first extend the .sops.yaml
file in the project root directory.
Add the public key to the list of age
keys. Each key is separated by a comma and a newline.
creation_rules:
- age: >-
<KEY1>,
<KEY2>,
<KEY3>
Next, encrypt the .env
file with the updated list of keys and push it to the repository.
Decrypting Secrets¶
Once your public key is added to the .env.lock
file, you can decrypt the file to access the Discord bot token.
First, pull the latest changes from the repository:
git pull
Prerequisite
SOPS
requires the SOPS_AGE_KEY_FILE
environment variable to be set to the path of your private key file.
This is automatically set up in the development container.
Next, run the following command to decrypt the .env.lock
file:
sops decrypt --input-type dotenv --output-type dotenv .env.lock > .env
This will decrypt the file and save the contents to a new .env
file in the project root directory. You can now
access the Discord bot token.
Security Warning
Do not commit your decrypted .env
file to version control or share the contents with anyone!
Encrypting Secrets¶
To encrypt the .env
file after making changes, run the following command:
sops encrypt .env > .env.lock
This will encrypt the file and save it to the .env.lock
file. You can now commit the changes to version control.