Phase 8: Secrets & Credentials
Phase 8: Secrets & Credentials
age
mkdir -p ~/.age/{recipients,identities}
chmod 700 ~/.age/identities
# Copy identity from secure backup — DO NOT paste hereSSH Keys
mkdir -p ~/.ssh && chmod 700 ~/.ssh
ssh-keygen -t ed25519 -C "evanusmodestus@modestus-p16g"Decrypt SSH Config
cd ~/atelier/_projects/personal/dots-quantum
age -d -i ~/.age/identities ssh/.ssh/config.age > ssh/.ssh/config
stow -t ~ sshYubiKey & GPG
sudo pacman -S gnupg pcsc-tools ccid yubikey-manager
sudo systemctl enable --now pcscd# Insert YubiKey
gpg --card-status# Import public key (private subkeys are on the YubiKey)
gpg --keyserver keys.openpgp.org --recv-keys <YOUR-KEY-ID>
gpg --edit-key <KEY-ID>
# trust → 5 (ultimate) → quitgopass
sudo pacman -S gopassgopass clone ssh://git@gitea-01.inside.domusdigitalis.dev:2222/evanusmodestus/password-store v3gopass sync
gopass ls | head -20Git Remote Access
cat ~/.ssh/id_ed25519.pub | wl-copy
# Add to: github.com/settings/keys, gitlab.com, gitea-01ssh -T git@github.com
ssh -T git@gitlab.com
ssh git@gitea-01.inside.domusdigitalis.devVault SSH Certificates
Certificate-based SSH eliminates authorized_keys management. Vault signs a public key with a TTL — hosts trust the CA, not individual keys.
|
Each machine MUST have its own keypair. Do NOT share private keys across machines. Per-machine keys allow:
|
Generate a dedicated keypair (on the P16g)
# Generate a NEW key for this machine — do NOT reuse the Razer's key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_vault -C "vault-signed@modestus-p16g"Sign the key (from the Razer — Vault access required)
The P16g may not have direct Vault access (VLAN routing). Sign from the Razer by copying the P16g’s PUBLIC key.
# On the Razer — load Vault credentials
ds d000 dev/vault# Copy P16g's public key to Razer
scp -F /dev/null -i ~/.ssh/id_ed25519_d000 evanusmodestus@10.50.10.126:~/.ssh/id_ed25519_vault.pub /tmp/p16g-vault.pub# Verify it's the P16g's key, not the Razer's
cat /tmp/p16g-vault.pub
# Should show: ... vault-signed@modestus-p16g# Sign it with Vault (8h TTL — re-sign daily)
vault write -field=signed_key ssh/sign/domus-client \
public_key=@/tmp/p16g-vault.pub \
valid_principals="evanusmodestus,admin,root" \
>| /tmp/p16g-vault-cert.pub# Send the signed cert back to the P16g
scp -F /dev/null -i ~/.ssh/id_ed25519_d000 /tmp/p16g-vault-cert.pub evanusmodestus@10.50.10.126:~/.ssh/id_ed25519_vault-cert.pubVerify the certificate (on the P16g)
ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pubExpected output
Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:...
Signing CA: ED25519 SHA256:...
Key ID: "vault-signed@modestus-p16g"
Valid: from <now> to <now + 8h>
Principals:
evanusmodestus
admin
rootTest cert-based SSH (on the P16g)
# SSH to a host that trusts the Vault CA (TrustedUserCAKeys configured)
ssh -i ~/.ssh/id_ed25519_vault evanusmodestus@<target-host>|
Certificate renewal: Vault SSH certs have an 8-hour TTL. Re-sign daily by repeating the sign + scp steps from the Razer. Consider a script or cron job for automation. TrustedUserCAKeys: Target hosts must have the Vault SSH CA public key in |
Borg Backup
sudo pacman -S borg nfs-utils# Mount Synology NAS
sudo mkdir -p /mnt/synology
sudo mount -t nfs nas-01.inside.domusdigitalis.dev:/volume1/borg_backups /mnt/synology# Load Borg passphrase
dsource d000 dev/storage# Init new repo for P16g (or use existing borg-repo)
sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" borg init --encryption=repokey /mnt/synology/borg-repo-p16g# First backup
sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" ~/.local/bin/borg-backup-synology.sh# Verify
sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" borg list /mnt/synology/borg-repo-p16g --last 3