Mozilla SOPS: Secrets OPerationS

I wrote a blog post about managing secrets in GitLab / Git some time ago, where I touched sops. Today, I am going to write more about this tool.

sops is useful when you want to encrypt your data and keep it somewhere securely. Why is it so secure? Because it uses envelope encryption. This way you can keep your encrypted data and encrypted data key (which is needed to decrypt your data) in the same file. So, when everything is encrypted you can store it anywhere, for example in your git repository.

How it works?

sops generates a data key and this data key is used to encrypt and decrypt your data. So, how then is your data key encrypted? 🤔 By your KMS or PGP master key (or both of them, or even more... sops supports AWS KMS, GCP KMS, Azure Key Vault and PGP).

As you can see, sops only touches your data key and your data. With your master/wrapping key you encrypt and decrypt your data key.

By default, you can encrypt and decrypt your data key by each master key. But, you can use key groups if you want to be more secure (sops uses Shamir's Secret Sharing algorithm under the hood to split the data key). Using key groups, sops splits data key into parts. Each key group encrypts and decrypts only a part of data key:

So, what is going on here? There are three key groups. Each of them encrypts and decrypts only a part of data key. In order to decrypt a file, you must decrypt data key firstly, and each key group can decrypt only a part of it. So, to decrypt the data key you have to decrypt all the parts (by default) and then merge them (it is not exactly merging, but you get the idea). Each master key in the key group can decrypt a part of the data key. So, in this example, in key group 1, you need to have access to only one of the master keys to decrypt this part of data key. The same is for another key groups. You only need one master key within each key group to decrypt this part of data key.

You can also create five key groups and set threshold to 3. This way, you only need access to any 3 key groups to decrypt a file (Shamir's Secrets Sharing algorithm).

As I wrote, key groups are optional and in most cases you do not need to use them.

Key rotation

If you think, that your data key leaked you can renew your data key; it is also a good practice to do that on a regular basis. Sops will create a new data key, and encrypt data with this new data key. You just need to type: sops -r file-with-secrets.yaml.

Examples

Okay, I think that you understand basics. Now let's see some examples.

First example

In the first example I am going to use my PGP key.

I added my fingerprint (from PGP key) to .sops.yaml file. This way I tell sops that I want to encrypt and decrypt data key with this master keySops encrypted the data key with my public key, and data in a file has been encrypted by data key. Only someone who has access to my private key can decrypt the data key, and then using this data key, the data can be decrypted.

Second example

In this example, I am going to use two PGP keys. Let's say that I'm working with someone and I have access to their public key.

Using two PGP keys, the same data key is encrypted two times (separately). Once by the public key of my colleague and once by mine. Thus, there are two records in sops.pgp section. To decrypt the file I only need my private key. The same way, if my colleague needs to decrypt the file, they only need their private key.

In this way, if I die (or lose my private key...), my colleague still will be able to decrypt the file. So, it is always a good idea to encrypt your data key with more master keys than one ☝️.

Third example

In this example, I am going to show you key groups. There will be three key groups with one master key in each of them.

Let's say that we have three developers. And, to decrypt the file we need at least two of them. I can set threshold to 2 (by default, it would be 3). So, in order to decrypt data key, we need at least two different developers (I assume that each developer has access to only his private key).

In this way, in order to decrypt the file there always must meet at least two developers. So, it might be useful when you have something very very secret 🤫. There is a limit for 256 key groups 😅.

Decryption

Okay, so I have the encrypted file. I can type sops example-secret.yaml and see the content. But, what if I want to use it in my scripts? And I need access to a specific key.

Let's say that I want to get a password for redis and put it to an environment variable. How can I do that? Firstly, I have to tell sops that I want to decrypt the file (--decrypt flag). Secondly, I need to provide what exactly I want to extract (--extract flag):

So, when I know how to extract a specific value, then I can put it to my environment variable:

And that's it! There is a lot more stuff you can do with sops of course. But, my goal in this post was to introduce this tool to you. And I hope, I achieved that. Let me know if it was useful!

And here is a video if you do not want to ready this post:


 

Comments

Post a Comment

Popular posts from this blog

GitLab - extends keyword

Image
In the previous post I had written about the include keyword. Now, let's dive in the extends  keyword. What can you do with this? Here is the definition from GitLab documentation: extends defines entry names that a job that uses extends inherits from. It’s an alternative to using YAML anchors and is a little more flexible and readable. So, when is it useful? It is useful when you want to be DRY and keep your setup cleanly. Let's assume that you want to build a docker image and give developers possibility to deploy the image on dev , staging and prod environments. We are going to do that without the extends keyword, and after that we will think how we can do it better. Example without the extends  keyword: As you can see, there is a lot of code which repeats itself: stage, image, when  and script . We can remove a lot of code! So, let's do that. We are going to create a hidden job .deploy  (you will not see this job in a pipeline) and the rest of the jobs will in
Read more

GitLab - trigger keyword

Image
 We are going to talk about the trigger keyword today. With this feature you can define a downstream pipeline trigger. So, you can trigger a pipeline in any project (you must have access to this project of course). There are two types of downstream pipelines: multi-project pipelines child pipelines  Let's omit child pipelines and have a look at multi-project pipelines. It is very easy to use. You just need to provide a path to the project and that's it. Remember that you only can trigger a pipeline, not a job ! You can also provide more information like environment variables. As always, I am going to provide some examples, so you will understand it better. The first example: you want to trigger a pipeline in another project after the deployment of your service/s. How to do that? Here we want to trigger this pipeline (project my/run-tests ). Let's say that we want to run some tests after each deployment: We need to add the job which will trigger this pipeline in my/run-
Read more

Managing Secrets in GitLab / Git

Image
Let's say that you have to log in via ssh into an instance, and you work with GitLab, so you want to keep the private key in GitLab somewhere. Is it secure? Let's see! Custom environment variables You can use custom environment variables. Here you can read more about them (Developers cannot change them, only Maintainers and Owners can). There are two types of variables: Variable (the runner creates an environment variable that uses the key for the name and the value for the value) File (the runner creates an environment variable that uses the key for the name. For the value, the runner writes the variable value to a temporary file and uses this path) It seems that we can use File type for our purpose. We can set up it via API or UI . So, let's do that! Go to project's Settings > CI/CD . There will be Variables section (btw, you can specify variables also per group and even for all projects (in admin panel)). Click Add Variable button and add a variable: Key:
Read more