Skip to content

Create encryption keys

The workflow uses Age for encrypting the Terraform plan along with the entire Terraform working directory. It stores it as a GitHub Actions artifact and passes it between the plan and apply jobs in the workflow.

Why is this necessary?

Using an artifact makes it possible to have deployment protection rules (approvals) invoked between the plan and apply stages. Since anyone with read access to the repository can download the artifact, it's important to encrypt it.

Step 1: Install

Install age:

brew install age

Step 2: Generate keys

Generate an encryption key:

age-keygen > "$AGE_KEY_FILE"

Step 3: Set repository secrets

Use age together with gh to set these as repository secrets:

cat "$AGE_KEY_FILE" | gh secret set --repo "$IAC_REPO" AGE_SECRET_KEY
age-keygen -y "$AGE_KEY_FILE" | gh secret set --repo "$IAC_REPO" AGE_PUBLIC_KEY

Step 4: Save in 1Password

Add the keys to your team's 1Password vault:

cat "$AGE_KEY_FILE" | pbcopy
age-keygen -y "$AGE_KEY_FILE" | pbcopy
cat "$AGE_KEY_FILE" | xclip -selection clipboard
age-keygen -y "$AGE_KEY_FILE" | xclip -selection clipboard
cat "$AGE_KEY_FILE" | wl-copy
age-keygen -y "$AGE_KEY_FILE" | wl-copy

Step 5: Delete the key file

Delete the key file when you're done: