Python/DevOps

I wrote a blog post about managing secrets in GitLab / Git some time ago, where I touched sops . Today, I am going to write more about this tool. sops  is useful when you want to encrypt your data and keep it somewhere securely. Why is it so secure? Because it uses envelope encryption . This way you can keep your encrypted data and encrypted data key  (which is needed to decrypt your data ) in the same file. So, when everything is encrypted you can store it anywhere, for example in your git repository. How it works? sops  generates a data key and this data key is used to encrypt and decrypt your data . So, how then is your data key encrypted? 🤔 By your KMS or PGP master key (or both of them, or even more...  sops  supports AWS KMS , GCP KMS, Azure Key Vault and PGP). As you can see, sops only touches your data key and your data . With your master/wrapping key you encrypt and decrypt your data key . By default, you can encrypt and decrypt your data key by each master key . Bu

Firstly what is it? AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions. So, with AWS KMS you can store your customer master keys securely. What are customer master keys (CMKs) then? Customer master key is the primary resource in AWS KMS (so, it has own ARN). It is a logical representation of a master key. You can create  symmetric and asymmetric CMKs. CMKs never leave AWS infrastructure unencrypted. No one from AWS has access to these guys, only you. Your master keys are stored in such devices (hardware security module ( HSM )): You can read more about the cryptographic details here . Okay, so what can you do with AWS KMS? AWS managed CMKs Using  AWS managed C