Document using subkeys with GnuPG.

felixfontein · felixfontein · commit 73ee3e581d53 · 2025-01-02T16:23:55.000+01:00
Converted from getsops/sops@9dbbc77 Signed-off-by: Felix Fontein <felix@fontein.de>
diff --git a/content/en/docs/_index.md b/content/en/docs/_index.md
@@ -203,6 +203,22 @@ can use the example files and pgp key provided with the repository:
 
 This last step will decrypt `example.yaml` using the test private key.
 
+## Encrypting with GnuPG subkeys
+
+If you want to encrypt with specific GnuPG subkeys, it does not suffice to provide the
+exact key ID of the subkey to SOPS, since GnuPG might use *another* subkey instead
+to encrypt the file key with. To force GnuPG to use a specific subkey, you need to
+append `!` to the key's fingerprint.
+
+``` yaml
+creation_rules:
+    - pgp: >-
+        85D77543B3D624B63CEA9E6DBC17301B491B3F21!,
+        E60892BB9BD89A69F759A1A0A3D652173B763E8F!
+```
+
+Please note that this is only passed on correctly to GnuPG since SOPS 3.9.3.
+
 ## Encrypting using age
 
 [age](https://age-encryption.org/) is a simple, modern, and secure tool
