System Architecture
Overview
The secrets infrastructure uses a defense-in-depth approach with multiple independent encryption layers.
Figure 1. Secrets Infrastructure Architecture
Storage Tiers
Figure 2. Storage Tiers - Temperature-Based Access Model
| Tier | Technology | Location | Purpose |
|---|---|---|---|
Hot |
dsec + Age |
|
Daily API keys, credentials |
Warm |
gocryptfs |
|
Documents, configs (mount on demand) |
Cold |
LUKS2 + BTRFS |
USB drives (x2) |
Offline backups, master keys |
Archive |
Borg Backup |
Synology NAS |
Deduplicated encrypted backups |
Password Store
Using gopass with GPG encryption:
-
Store location:
~/.password-store/ -
Categories:
ADMINISTRATIO/,ARCANA/,COMMERCIA/,PERSONAE/ -
Git-synced with encrypted contents