opencenter secrets keys revoke
Revoke encryption keys for users or compromised keys
Synopsis
Revoke encryption keys to remove access for departed team members or compromised keys.
This command provides three revocation modes:
-
Revoke by user (--user):
-
Removes all keys associated with a user email
-
Re-encrypts all secrets without the user’s keys
-
Logs revocation event to audit log
-
-
Revoke by fingerprint (--key):
-
Removes a specific key by fingerprint
-
Re-encrypts all secrets without the revoked key
-
Useful for revoking individual compromised keys
-
-
Emergency revocation (--emergency):
-
Immediately revokes the specified key
-
Generates a new primary key
-
Re-encrypts all secrets with the new key
-
Use when a key is compromised and immediate action is needed
-
The revocation process: • Validates that at least one key will remain active • Removes the revoked key from .sops.yaml • Re-encrypts all manifests without the revoked key • Updates key registry with revocation details • Logs the revocation event for audit trail
If no cluster name is provided, uses the currently active cluster.
opencenter secrets keys revoke [flags]Examples
# Revoke all keys for a user
opencenter secrets keys revoke --cluster my-cluster --user user@example.com
# Revoke a specific key by fingerprint
opencenter secrets keys revoke --cluster my-cluster --key age15n3dugqfej2hk8cqz2kcx78v6lxwllk5gruu4ermz2hu539xrgwq0w7dyn
# Emergency revocation (generates new key immediately)
opencenter secrets keys revoke --cluster my-cluster --key <fingerprint> --emergency
# Preview revocation without making changes
opencenter secrets keys revoke --cluster my-cluster --user user@example.com --dry-run