Runbook: Team Setup & Member Management
Step-by-step runbook for creating teams, adding members, and managing shared secrets using dsec SOPS integration.
1. Prerequisites Checklist
| Requirement | Status | Verification Command |
|---|---|---|
SOPS installed |
CHECK |
|
yq v4+ installed (Go version) |
CHECK |
|
age installed |
CHECK |
|
dsec v2.0.0+ |
CHECK |
|
Master age key exists |
CHECK |
|
shared/ directory exists |
CHECK |
|
2. Phase 1: Verify Prerequisites
2.1. 1.1 Check SOPS Installation
sops --versionExpected: sops 3.x.x
If missing:
sudo pacman -S sops2.2. 1.2 Check yq Installation
yq --versionExpected: yq (github.com/mikefarah/yq/) version v4.x.x
|
Must be Go yq (mikefarah/yq), not Python yq. If you see |
3. Phase 2: Create Team
3.1. 2.1 Initialize Team
# Syntax: dsec team init <team-id> [friendly-name]
dsec team init family "Family Home Automation"Expected output:
✓ Created team: family
Add members: dsec team add-member family <pubkey-file> --name <name>4. Phase 3: Add Team Members
4.1. 3.1 Receive Member’s Public Key
The team member generates their key pair:
# ON MEMBER'S MACHINE
age-keygen -o ~/.age/private.key
age-keygen -y ~/.age/private.key > ~/my-public-key.txt
# They send you my-public-key.txt (safe to share)4.2. 3.2 Add Member to Team
# Save their public key
cat > /tmp/alice.pub << 'EOF'
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
EOF
# Add to team
dsec team add-member family /tmp/alice.pub --name "Alice"
# Cleanup
shred -u /tmp/alice.pubExpected output:
✓ Added member 'alice' to team 'family'
! Existing secrets must be re-encrypted: dsec team rotate family4.3. 3.3 Verify Member Added
dsec team keys familyExpected:
╭── Team: family ──────────────────────────────────────────────────╮
owner: age1wtdeuelfua4afrqqtw8claqf5wc335g7euhgh22pjzd57azpgq3q7jqcnn
alice: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
╰────────────────────────────────────────────────────────────────╯5. Phase 4: Create Shared Secrets
5.1. 4.1 Create Secret via Editor
dsec shared edit family home-automationThis opens your $EDITOR with SOPS. Add YAML content:
# Home automation secrets
MQTT_HOST: mqtt.home.local
MQTT_USER: homeassistant
MQTT_PASS: your-mqtt-password
ZIGBEE_NETWORK_KEY: "0x01030507090b0d0f00020406080a0c0e"
HASS_TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Save and exit. SOPS encrypts automatically.
5.2. 4.2 Verify Secret Created
dsec shared list familyExpected:
╭── Shared Secrets ──────────────────────────────────────╮
│ family/
│ home-automation
╰──────────────────────────────────────────────────────╯6. Phase 5: Member Access Verification
6.1. 5.1 Member Decryption Test
The team member verifies access on their machine:
# ON MEMBER'S MACHINE
# Set their key
export SOPS_AGE_KEY_FILE=~/.age/private.key
# Decrypt (assuming they have access to the file)
sops -d ~/.secrets/shared/teams/family/home-automation.yamlExpected: Decrypted YAML content
7. Validation Summary
After completing all steps, verify:
| Check | Status | Command |
|---|---|---|
Team exists in registry |
VERIFY |
|
Team has correct members |
VERIFY |
|
Secrets created |
VERIFY |
|
Secrets decrypt correctly |
VERIFY |
|
Environment load works |
VERIFY |
|
Member can decrypt |
VERIFY |
Member runs |
8. Removing Team Members
8.2. Rotate Secrets (Critical!)
|
After removing a member, always rotate secrets and consider changing any credentials they had access to. |
# Re-encrypt without removed member
dsec team rotate family
# Additionally, change actual credentials:
# - Rotate MQTT password
# - Regenerate API tokens
# - Update Zigbee network key if concerned9. Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
|
Wrong yq version |
|
|
Typo or not created |
|
|
Wrong age key |
Verify |
Member can’t decrypt |
Not in recipients |
|