Deploy GPG Keypairs with Reis (YAML Mode)

GPG keypairs can be declared in your bahriya.yml file under the vaults section and applied with reis apply.

YAML structure

vaults:
  gpg_keypairs:
    signing-key:
      name: Artifact Signing Key
      public_key: "{{ file:./keys/signing.pub.asc }}"
      private_key: "{{ file:./keys/signing.sec.asc }}"

The {{ file:./path }} helper reads the file content at apply time, so you can keep your key files separate from the YAML declaration.

Attaching to a project

projects:
  production:
    attachments:
      vaults:
        gpg_keypairs: [signing-key]

Wiring to a container

Once attached to a project, reference the keypair in a container definition:

containers:
  api:
    project: production
    image: ghcr.io/myorg/api:latest
    vaults:
      gpg_keypairs:
        - handle: signing-key
          mountpath: /etc/gpg

The key files are mounted as public_key and private_key under the specified mount path.

Rotation

To rotate, update the key files on disk and run reis apply again. A new version is created and marked current. Previous versions are retained for rollback.

See also

• GPG Keypairs with Terraform
• GPG Keypairs with Reis (Flag Mode)