Phase 9: Secrets & Identity

GPG Key

# Import GPG key from workstation
# On workstation:
gpg --export-secret-keys --armor 28A3183647525597 > /tmp/gpg-secret.asc
scp /tmp/gpg-secret.asc rhel9-ws:~/
rm /tmp/gpg-secret.asc

# On RHEL VM:
gpg --import ~/gpg-secret.asc
gpg --edit-key 28A3183647525597
# trust → 5 → y → quit
rm ~/gpg-secret.asc

SSH Keys

# Copy SSH keys from workstation
scp ~/.ssh/id_ed25519_* rhel9-ws:~/.ssh/
scp ~/.ssh/config rhel9-ws:~/.ssh/

# Set permissions on RHEL VM
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519_*
chmod 644 ~/.ssh/*.pub
chmod 600 ~/.ssh/config

SELinux context on ~/.ssh/ must be correct. If SSH fails after copying, run restorecon -Rv ~/.ssh/.

gopass

# Install gopass (may need to build from source or download binary)
# Check if available in EPEL
sudo dnf search gopass

# If not in repos, install from GitHub releases
GOPASS_VERSION="1.15.14"
curl -L -o /tmp/gopass.rpm \
  "https://github.com/gopasspw/gopass/releases/download/v${GOPASS_VERSION}/gopass-${GOPASS_VERSION}-linux-amd64.rpm"
sudo rpm -i /tmp/gopass.rpm

# Clone and mount gopass store
mkdir -p ~/.local/share/gopass/stores
git clone git@github.com:EvanusModestus/gopass-v3.git ~/.local/share/gopass/stores/v3
gopass mounts add v3 ~/.local/share/gopass/stores/v3

# Verify
gopass ls

age Encryption

# Install age
sudo dnf install -y age || go install filippo.io/age/cmd/...@latest

# Copy age identities and recipients from workstation
scp -r ~/.age rhel9-ws:~/

Vault SSH Certificate

# From workstation (with Vault access):
dsource d000 dev/vault

# Sign RHEL VM's public key
vault write -field=signed_key ssh/sign/domus-client \
  public_key=@/tmp/rhel9-ws.pub \
  valid_principals="evanusmodestus" \
  > /tmp/rhel9-ws-cert.pub

scp /tmp/rhel9-ws-cert.pub rhel9-ws:~/.ssh/id_ed25519_vault-cert.pub

Check Status

Check	Status
GPG key imported and trusted	[ ]
SSH keys copied, permissions set	[ ]
SSH keys SELinux context correct (`restorecon`)	[ ]
gopass installed and mounted	[ ]
`gopass ls` works	[ ]
age installed, identities copied	[ ]
Vault SSH cert issued	[ ]

GPG key imported and trusted

[ ]

SSH keys copied, permissions set

[ ]

SSH keys SELinux context correct (restorecon)

[ ]

gopass installed and mounted

[ ]

gopass ls works

[ ]

age installed, identities copied

[ ]

Vault SSH cert issued

[ ]