Skip to content

Offboard a departing team member

Remove a leaving teammate’s GPG key from every vault they could read and rotate the secrets they had access to.

  1. Inventory. List every secret whose recipient list includes the leaver’s fingerprint:

    Terminal window
    LEAVER_FP="ABCD1234..." # the 40-char fingerprint
    for v in $(dotsecenv vault describe --json | jq -r '.[].vault'); do
    dotsecenv vault describe --json -v "$v" \
    | jq -r --arg fp "$LEAVER_FP" \
    '.[].secrets[] | select((.available_to // []) | index($fp)) | .key'
    done

    Order the worklist by blast radius: production credentials first.

  2. Revoke from every secret. secret revoke takes one secret name per call, so loop over the key list that secret get (no arguments) prints.

    Terminal window
    for s in $(dotsecenv secret get); do
    dotsecenv secret revoke "$s" "$LEAVER_FP" --all
    done
  3. Verify. Re-run the inventory from step 1. The output should be empty.

    Terminal window
    dotsecenv vault doctor
  4. Rotate at the source. Generate a new credential at the originating system (database, IDP, cloud provider, API issuer) and store it. Production-critical first.

    Terminal window
    echo "<new-value>" | dotsecenv secret store SECRET_NAME
  5. Commit.

    Terminal window
    git add path/to/vault
    git commit -m "Offboard <name>: revoke $LEAVER_FP, rotate N secrets"
Symptom Cause Fix
secret revoke NAME ... says “no matching secret” The name is misspelled or absent from this vault List exact names with dotsecenv secret get (no args) and revoke those
vault describe is missing a vault you expected Vault path not in vault: config, or blocked by policy Add it with -v once, or list it under vault: in ~/.config/dotsecenv/config.yaml
Decrypt failure when rotating Your own login fingerprint was accidentally revoked from this secret dotsecenv secret share SECRET YOUR_FP --all, then re-run secret store
Revoke succeeds in some vaults, fails in others A vault file is read-only or owned by another user Run revoke per vault with -v and a writeable path
Leaver’s fingerprint is not in your keyring Public key was never imported, or expired and was purged Revoke works without the public key; you only need the fingerprint string
  • Erase a leaked entry from the vault file. Append-only by design. Rewriting git history with git filter-repo is possible, but anyone who already cloned the repo still has the old data and the leaver’s key still decrypts it.
  • Re-encrypt an existing entry to a different recipient set. secret share and secret revoke only affect future writes. Source rotation is the only fix.
  • Recall a value the leaver memorized or saved elsewhere. Rotating the underlying credential makes that knowledge worthless.