Not sure the "right" way to do it. But this is what we did:
For context: We run a centralised salt-master, salt master unencrypts content using gpg filters as part of variable generation (salt "pillars"). So it's encrypted at rest and encrypted in our git repositories.
What we do/did, is:
* grab a pair of differently branded USB sticks.
* LUKS encrypt the USB sticks; we used a keyfile which is encrypted on our machines with our GPG key.
* encrypt salt's GPG private key with all of our keys.
* encrypt some of the "irreplacable" private keys (IE: CA roots) with all of our GPG keys.
* store it all on the pair of USB drives
* put the USB drives in a real-life vault, give the keys to the office team.
We haven't needed to recover, but it's clearly documented how to recover if anything went wrong.
It'd be better to take a page out of the cryptocurrency handbook and print the keys out as QR codes (maybe with a simple password so it can only be restored if you know the pw).
For context: We run a centralised salt-master, salt master unencrypts content using gpg filters as part of variable generation (salt "pillars"). So it's encrypted at rest and encrypted in our git repositories.
What we do/did, is:
* grab a pair of differently branded USB sticks.
* LUKS encrypt the USB sticks; we used a keyfile which is encrypted on our machines with our GPG key.
* encrypt salt's GPG private key with all of our keys.
* encrypt some of the "irreplacable" private keys (IE: CA roots) with all of our GPG keys.
* store it all on the pair of USB drives
* put the USB drives in a real-life vault, give the keys to the office team.
We haven't needed to recover, but it's clearly documented how to recover if anything went wrong.