OYSI DR-Cockpit passive only

Encryption-Keys

Metadata only — actual key material is NEVER displayed here.

Generated: 2026-04-30

Sicherheitsregel: Diese Seite enthält ausschließlich Metadaten. Niemals Keymaterial in den DOM rendern, keine Klartext-Pässe in JSON.

sops.key (age)

Decrypts every services/*/secrets/*.enc.yaml at runtime

WARN
Pfad
[server filesystem — see Bitwarden]
Perms
600 ubuntu:ubuntu
Rotation
annual (per infrastructure/CLAUDE.md)
Letzte Rotation
2026-02-04
Bundle-Alter
35d

Backup-Locations

  • OVH S3 (offsite)
  • Edge-1 (offsite)
  • Edge-2 (offsite, 35d alt)
  • Bitwarden Vault

Bundle is consistent (mtime > key mtime) but 35d old — refresh after every rotation

backup.key (age)

Decrypts ALL .age files (DB-Dumps, Volume-Tars, Config-Tars, Bundles)

WARN
Pfad
[server filesystem — see Bitwarden]
Perms
600 ubuntu:ubuntu
Rotation
annual
Letzte Rotation
2026-02-04
Bundle-Alter
35d

Backup-Locations

  • OVH S3 (offsite)
  • Edge-1 (offsite)
  • Edge-2 (offsite, 35d alt)
  • Bitwarden Vault

Bundle Passphrase MUST be retrieved from Bitwarden BEFORE the bundle can be decrypted

Key-Bundle Passphrase

Decrypts keys-bundle.tar.gz.age (symmetric age -p)

WARN
Pfad
n/a (memorized + Bitwarden)
Perms
n/a
Rotation
with key rotation
Letzte Rotation
UNKNOWN

Backup-Locations

  • Bitwarden Vault

Without this passphrase, EVERY age file is unrecoverable

backup_edge_key (SSH ed25519)

Pushes backups to srvbackup@10.8.0.{4,5}

FAIL
Pfad
[server filesystem — see Bitwarden]
Perms
600 ubuntu:ubuntu
Rotation
ad-hoc
Letzte Rotation
UNKNOWN

Backup-Locations

  • Bitwarden Vault (UNCONFIRMED, see GAP P1-8)

GAP P1-8 — Bitwarden coverage NOT verified. Keep on persistent backup-storage outside VPS or risk lock-out at VPS-Tod.

wg0 PrivateKey (edge-1)

WireGuard tunnel edge-1 → wg-easy

FAIL
Pfad
[edge node filesystem]
Perms
600 root
Rotation
ad-hoc
Letzte Rotation
UNKNOWN

Backup-Locations

  • edge-1 local only — NOT replicated

GAP P1-4 — at Pi-Tod the key is gone. Should be mirrored to Bitwarden SM or included in Keys-Bundle.

wg0 PrivateKey (edge-2)

WireGuard tunnel edge-2 → wg-easy

FAIL
Pfad
[edge node filesystem]
Perms
600 root
Rotation
ad-hoc
Letzte Rotation
UNKNOWN

Backup-Locations

  • edge-2 local only — NOT replicated

GAP P1-4 — symmetric to edge-1.

rclone OVH-S3 credentials

Push offsite backups to s3.eu-west-par

OK
Pfad
[server filesystem — see Bitwarden]
Perms
600
Rotation
ad-hoc on suspected leak
Letzte Rotation
UNKNOWN

Backup-Locations

  • OVH S3 (in Configs-Tarball)
  • Edge-1 (in Configs-Tarball)
  • Edge-2 (in Configs-Tarball)
  • Bitwarden Vault

Encrypted with sops.key — restore needs sops.key first