Rotate a compromised GPG key
Remove a compromised private key from every vault it could read and rotate the underlying secrets at their source. Applies whether the compromised key is yours or a teammate’s.
Runbook
Section titled “Runbook”-
Generate or import a replacement identity. If the compromised key is yours, generate a new pair (
gpg --full-generate-key), publish the new public key, and have each teammate import it. -
Revoke the compromised fingerprint from every affected secret.
secret revoketakes one secret name per call, so loop over the key list thatsecret get(no arguments) prints.Terminal window for s in $(dotsecenv secret get); dodotsecenv secret revoke "$s" <COMPROMISED_FP> --alldone -
Add the replacement recipient.
Terminal window dotsecenv secret share <SECRET_NAME> <NEW_FP> --all -
Rotate each affected secret at its source. Generate a new credential at the originating system (database, IDP, cloud provider, API issuer) and store it. This is what neutralizes the compromise.
Terminal window echo "<new-value>" | dotsecenv secret store <SECRET_NAME> -
Verify. Every current secret should list the new key as a recipient and not the compromised one.
Terminal window dotsecenv vault doctordotsecenv vault describe -
Commit.
Terminal window git add path/to/vaultgit commit -m "Rotate compromised key <COMPROMISED_FP>, rotate N secrets"
Blast radius: repo-scoped vs org-wide keys
Section titled “Blast radius: repo-scoped vs org-wide keys”The scope of the compromised key sets the scope of the rotation. A repo-scoped CI key (GPG_PRIVATE_KEY) only decrypts one repository’s vault, so revoke, re-share, and source-rotate stay contained to that repo. An org-wide key (ORG_GPG_PRIVATE_KEY) decrypts every vault that listed it as a recipient, so you must run the runbook against each affected repo: revoke the fingerprint, share the replacement, rotate the secret at its source, and commit in every one. Track the full list before you start so none are missed. See Key Scope for the trade-offs.
What you cannot do
Section titled “What you cannot do”- Erase a leaked entry from the vault file. Append-only by design. Rewriting
githistory withgit filter-repois possible, but anyone who already cloned the repo still has the old data and the compromised key still decrypts it. - Re-encrypt an existing entry to a different recipient set.
secret shareandsecret revokeonly affect future writes. Source rotation is the only fix.
See also
Section titled “See also”- Runbook: Offboard a Departing Team Member
- Tutorial: Revoke Access
- Concept: Vault Format — append-only semantics
- Concept: Key Scope
- Concept: Threat Model
- Runnable example:
examples/02-team-share-revoke/
