Skip to main content

Get started using secrets

Secrets are stored in AWS Secrets Manager. You will need to be on-boarded to GovWifi’s AWS Staging and Production accounts in order to access these secrets.

Secrets Manager

Once you have access to the AWS console, navigate to the Secrets Manager service in AWS.

The relevant credentials are listed in the following format: <service>/<item>.

Pass & GPG

All other sensitive information (such as private IP addresses) are stored in govwifi-build. This information is pulled in when terraform is run.

All shell commands assume you are running from within the govwifi-terraform repository since the govwifi-build repository is cloned in the .private directory of govwifi-terraform.

GPG Tools

To use these secrets, you will need the Password Store tool installed on your machine and an environment variable to point to the location of the store, e.g. Macbook CLI

echo export PASSWORD_STORE_DIR="/Users/[YOUR_USERNAME]]/[PATH_TO]/govwifi-build/passwords" >> ~/.bashrc

Execute the updated .bashrc e.g.

. ~/.bashrc ; echo $PASSWORD_STORE_DIR

You will also need an implementation of gpg installed. This will be installable under the name gnupg:

apt/brew/dnf/rpm/yum install gnupg

Generating a GPG keypair

If you do not have a GPG keypair, you can generate one using the following command:

gpg --full-gen-key

Choose RSA and RSA by just pressing enter:

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? (1)

Then choose a key size of 4096 bits:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
4096

Choose 2 to make your key valid for two years:

Please specify how long the key should be valid.

      0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2

Set yourself a reminder in a calendar to extend this expiry date after a year! You can still extend the expiry date of an already expired key

Confirm this:

Key expires at Sun 28 Aug 2024 01:23:45 AM CEST
Is this correct? (y/N) y

Now, enter your name and email address (you can leave the comment empty):

GnuPG needs to construct a user ID to identify your key.

Real name: Joe Bloggs
Email address: joebloggs@bobdottir.net
Comment:

This email needs to be valid! You will receive an email later in this process.

Confirm this:

You selected this USER-ID:
"Alice Bobdottir <alice@bobdottir.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

The next screen asks you to input a password to secure the key. Please use a long but memorable password and store it using a password manager: if you lose this password, you won’t be able to edit the claims in the future or decrypt messages.

Once you confirm your password, the following message appears:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Once this is done, you have generated your OpenPGP key! To find your so-called fingerprint, run:

gpg --fingerprint

One of the first lines consists of 10 blocks of 4 hexadecimal characters: this is your fingerprint, the identifier that is globally unique to your key.

Getting access

Once you have installed the tools, you will need someone to re-encrypt the secrets with your public key.

Give someone your full key ID:

gpg --list-keys '<your email address>'

An example of a key ID is: 06D20CF70AC370DE72F49EDC992939FDD5C5144C

Please also ensure your public key is on a well known keyserver:

We suggest keyserver.openpgp.org as they are known to be reliable.

gpg --keyserver keys.openpgp.org --send-keys '<your key ID>'

Giving Access

The new joiner must first send their GPG key ID to a current member of the team.

Once the key is received, all team members must import their fellow team members keys: ~~~ gpg –keyserver keys.openpgp.org –recv-key <FINGERPRINT/KEYID> ~~~ Then give each key ultimate trust.

To on-board the new GPG key, navigate to the .private directory in the govwifi-terraform project.

Checkout a new branch in .private:

git checkout -b onboarding_<NAME>_GPG_key

Append the new key to the .private/passwords/.gpg-id file:

echo "$key_id" >> '.private/passwords/.gpg-id'

Change directory to the root project (govwifi-terraform/), then re-encrypt the passwords from within the govwifi-terraform repo:

make rencrypt-passwords

Note: make commands can only be run from the root project directory.

There can be a number of reason for this to fail, for example one of the keys could have expired, if that’s the case, contact the owner of the key and ask them to extend their expiration date and reupload their key to the server, the procedure to follow for extending expired key can be found in the Extend Expiry below

once they’ve done this, upload the key again.

Once the secrets have been re-encrypted, use git to add, commit and push the changes in the .private directory.

Raise a PR in the govwifi-build repo on Github. Ask another team member to test the encryption has worked by checking out the PR branch and testing they can decrypt the files using gpg -d.

Extend Expired GPG Key

To extend the expiry of an existing GPG Primary and Sub key

gpg --list-keys
gpg --edit-key KEYID`
> expire
> 2y
> y
> key 1 ## < sub key >
> 2y
> y
> trust
> 5
> save <-- Very important!

Then upload the updated keys to the server

gpg --keyserver keyserver.openpgp.org --send-keys KEYID

Export / Backup the key

To keep a backup of your key ‘in a SECURE location’

gpg -a --export KEYID > name.gpg.public
gpg -a --export-secret-keys KEYID > name.gpg.private

Test the new key

To Test out the new key, try to do a round trip:

gpg -ea > secret.out
gpg -d secret.out

New members

New members must import all the existing gpg keys that are stored.

To do this read in all the keys in passwords/.gpg-id and import them:

gpg --keyserver keyserver.openpgp.org --receive-keys <key_id> && gpg --import-ownertrust

If you are a new starter you’ll have to do this for every team members key, so to speed things up, ‘cat’ out the keys and use the output in the receive-keys command.

# get all the keys
cat .gpg-id | tr '\n' ' '
# paste the output to.
gpg --keyserver keyserver.openpgp.org --receive-keys <keys> && gpg --import-ownertrust

Getting a secret

Throughout the documentation there will be references to specific secrets stored within the password store.

To read individual secrets, run the command:

PASSWORD_STORE_DIR=<password_store_dir> pass show <secret_name>

where:

  1. <password_store_dir> is the path of the passwords directory of the govwifi-build repository on your local machine.

  2. <secret_name> is the path of the secret that you want to display. You can omit this to get a list of all secret paths.

For example, if you want to access the Staging Bastion SSH Key:

PASSWORD_STORE_DIR=.private/passwords pass show keys/govwifi-staging-bastion-key

Adding/Editing a secret

Use pass to edit your file for ease - you can be anywhere when you do this - the is the dir/file path from the

PASSWORD_STORE_DIR=<password_store_dir> pass edit <secret_name>

Example:

PASSWORD_STORE_DIR=~/govwifi-build/passwords pass edit your_secret.txt

Make your changes and save them. They will be re-encrypted automatically if all your gpg keys are up to date.

This page was last reviewed on 7 August 2025. It needs to be reviewed again on 7 February 2026 by the page owner #govwifi .