Secrets Management
Operational patterns for managing secrets across the domus infrastructure: gopass, Vault, age encryption, SSH certificates, TOTP, and hardware tokens.
Topics
| Topic | Description |
|---|---|
File encryption for dotfiles, configs, and git-tracked secrets |
|
Password store operations — read, write, search, mount, audit |
|
HashiCorp Vault — KV secrets, PKI, SSH CA, seal operations |
|
Credential architecture, rotation workflows, dsec CLI |
|
Certificate inspection, chain verification, Vault issuance |
|
CA hierarchy, Vault PKI engine, CSR workflow, revocation |
|
Key management, encryption, signing, git integration |
|
Key generation, agent management, Vault-signed certificates |
|
Certificate structure, field inspection, key matching |
|
PKCS#12 bundles, PKCS#7 chains, PKCS#11 hardware tokens |
|
Time-based one-time passwords via gopass and oathtool |
|
Keyring, SSH agent, GPG agent, systemd credentials |
|
FIDO2, PIV smart card, OATH TOTP, OpenPGP on hardware |
Related
-
Security Codex — broader security tools (firewalls, SIEM, IDS, forensics)
-
gopass Codex — deep-dive gopass patterns (mounts, history, OTP, audit tool)