Encryption-Keys

Metadata only — actual key material is NEVER displayed here.

Generated: 2026-04-30

Sicherheitsregel: Diese Seite enthält ausschließlich Metadaten. Niemals Keymaterial in den DOM rendern, keine Klartext-Pässe in JSON.

sops.key (age)

Decrypts every services/*/secrets/*.enc.yaml at runtime

WARN

Pfad: /home/ubuntu/infrastructure/keys/sops.key
Perms: 600 ubuntu:ubuntu
Rotation: annual (per infrastructure/CLAUDE.md)
Letzte Rotation: 2026-02-04
Bundle-Alter: 35d

Backup-Locations

OVH S3 (adorable-powell/keys/keys-bundle.tar.gz.age)
Edge-1 (/backup/oysi-server/keys-bundle*.age)
Edge-2 (/backup/oysi-server/keys-bundle*.age — 35d alt)
Bitwarden Vault — Item: SOPS Key

Bundle is consistent (mtime > key mtime) but 35d old — refresh after every rotation

backup.key (age)

Decrypts ALL .age files (DB-Dumps, Volume-Tars, Config-Tars, Bundles)

WARN

Pfad: /home/ubuntu/infrastructure/keys/backup.key
Perms: 600 ubuntu:ubuntu
Rotation: annual
Letzte Rotation: 2026-02-04
Bundle-Alter: 35d

Backup-Locations

OVH S3 (adorable-powell/keys/keys-bundle.tar.gz.age)
Edge-1 (Bundle)
Edge-2 (Bundle, 35d alt)
Bitwarden Vault — Item: Key-Bundle Passphrase

Bundle Passphrase MUST be retrieved from Bitwarden BEFORE the bundle can be decrypted

Key-Bundle Passphrase

Decrypts keys-bundle.tar.gz.age (symmetric age -p)

WARN

Pfad: n/a (memorized + Bitwarden)
Perms: n/a
Rotation: with key rotation
Letzte Rotation: UNKNOWN

Backup-Locations

Bitwarden Vault — Item: Key-Bundle Passphrase

Without this passphrase, EVERY age file is unrecoverable

backup_edge_key (SSH ed25519)

Pushes backups to srvbackup@10.8.0.{4,5}

FAIL

Pfad: /home/ubuntu/.ssh/backup_edge_key
Perms: 600 ubuntu:ubuntu
Rotation: ad-hoc
Letzte Rotation: UNKNOWN

Backup-Locations

Bitwarden Vault — Secure Note (UNCONFIRMED, see GAP P1-8)

GAP P1-8 — Bitwarden coverage NOT verified. Keep on persistent backup-storage outside VPS or risk lock-out at VPS-Tod.

wg0 PrivateKey (edge-1)

WireGuard tunnel edge-1 → wg-easy

FAIL

Pfad: edge-1:/etc/wireguard/wg0.conf
Perms: 600 root
Rotation: ad-hoc
Letzte Rotation: UNKNOWN

Backup-Locations

edge-1 local only — NOT replicated

GAP P1-4 — at Pi-Tod the key is gone. Should be mirrored to Bitwarden SM or included in Keys-Bundle.

wg0 PrivateKey (edge-2)

WireGuard tunnel edge-2 → wg-easy

FAIL

Pfad: edge-2:/etc/wireguard/wg0.conf
Perms: 600 root
Rotation: ad-hoc
Letzte Rotation: UNKNOWN

Backup-Locations

edge-2 local only — NOT replicated

GAP P1-4 — symmetric to edge-1.

rclone OVH-S3 credentials

Push offsite backups to s3.eu-west-par

Pfad: /home/ubuntu/infrastructure/secrets/rclone.conf.enc.yaml (SOPS)
Perms: 600
Rotation: ad-hoc on suspected leak
Letzte Rotation: UNKNOWN

Backup-Locations

OVH S3 (in Configs-Tarball)
Edge-1 (in Configs-Tarball)
Edge-2 (in Configs-Tarball)
Bitwarden Vault

Encrypted with sops.key — restore needs sops.key first