Secrets and private keys

Where are secrets stored

Most secrets are stored in one of two locations:

Secrets that are shared across all of our hub and cluster deployments, such as Auth0 secrets.

Secrets that are specific to each cluster / hub that we run (one JSON file for each cluster). For example, cloud provider secrets to control the cluster programmatically.

Both are encrypted with sops.

See also

For information about how to set up sops, see the team compass documentation

How to rotate / change secrets

Sometimes we need to rotate the secret keys used in our repository. For example, if a service we use has become compromised, and we need to generate new keys in order to protect the infrastructure.

To rotate our secrets, take these steps:

  1. Determine which configuration file you’d like to update. See Where are secrets stored.

  2. Unencrypt the configuration file. See the team compass documentation for instructions on unencrypting.

  3. Generate a new key with openssl:

    openssl rand -hex 32

    This will return a random hash that looks something like this:

  4. Find the key you’d like to replace, and replace its value with the hash that you’ve generated above.


    If you wish to change the secret keys for the hub proxies, you would update the value of secret_key in the configuration file with proxy secrets.

  5. Re-encrypt the file with sops.

  6. Commit the file to the repository and push.

You have now rotated the secret for this key!