Document using subkeys with GnuPG.

Signed-off-by: Felix Fontein <felix@fontein.de>
2026-02-05 12:45:21 +01:00 · 2024-12-24 22:55:16 +01:00
parent 6ce9d663c8
commit 9dbbc77a0e
1 changed files with 16 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@@ -188,6 +188,22 @@ the example files and pgp key provided with the repository::

 This last step will decrypt ``example.yaml`` using the test private key.

+Encrypting with GnuPG subkeys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want to encrypt with specific GnuPG subkeys, it does not suffice to provide the
+exact key ID of the subkey to SOPS, since GnuPG might use *another* subkey instead
+to encrypt the file key with. To force GnuPG to use a specific subkey, you need to
+append ``!`` to the key's fingerprint.
+
+.. code:: yaml
+
+    creation_rules:
+        - pgp: >-
+            85D77543B3D624B63CEA9E6DBC17301B491B3F21!,
+            E60892BB9BD89A69F759A1A0A3D652173B763E8F!
+
+Please note that this is only passed on correctly to GnuPG since SOPS 3.9.3.

 Encrypting using age
 ~~~~~~~~~~~~~~~~~~~~