Sops: Simple and flexible tool for managing secrets

Useful links

• Github: github.com/mozilla/sops

Overview

sops (Secrets OPerationS) is a tool used to encrypt/decrypt YAML, JSON, BINARY, ENV files. It supports these operations using AWS KMS, GCP KMS, Azure Key Vault, age and good ol’ PGP.

With sops we can encrypt files containing sensitive data and store/version them in Git. We can also extend by uploading the secret key to our favourite CI/CD tool to automate decryption.

Here are some basic usecases of sops:

• manage Kubernetes secrets. This can done easily with vanilla sops or the use of helm-secrets plugin that uses sops as backend
• manage Terraform IaC secrets with terraform-sops plugin

Key points

1. To encrypt a file, we specify the KMS resource identifier (eg AWS ARN, GCP resource ID) or public key fingerprint (eg Age, PGP)
2. sops encrypts all the values in YAML/JSON file and also appends a metadata section at the end of the encrypted output
3. To be precise, sops generate a random 256 bit “data” key encrypted by KMS or PGP “master” key
4. Similarly, to decrypt we need to have access to the KMS resource or the actual Age/PGP “master” key that was used to encrypt “data” key
5. sops supports encrypting with multiple “master” keys. By default it allows decryption using any of the “master” keys available, making it easy to manage and share secrets with team members
6. However, in some scenarios it is sometimes desirable to require access to multiple “master” keys in order to decrypt file. This can be achieved in sops by using the concept of “key groups”. Under the hood, sops uses Shamir’s Secret Sharing and this enables us to specify a number of minimum number of “master” keys in order to decrypt the file successfully
7. sops also supports using an easy one-liner to rotate either the “data” or “master” key. Making life easier when we want to remove users’ access or address compromised keys

Installation

Download the latest binary/executable from Github releases and move to somewhere on your PATH.

▶ sudo curl -Ls https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64 \
   -o /usr/local/bin/sops
▶ sudo chmod 755 /usr/local/bin/sops
▶ sops --version
sops 3.7.3 (latest)

Usage

Let’s use age as the backend

1. Generate an age identity file (public-private key pair)

    ▶ age-keygen -o key.txt
    Public key: age1c580yu53ytt0nv2exx44evgwzylcyvqgsnnfpnlsqclf00mg4vdqd5q0z8
   

2. Create a YAML file containing secret(s) to be encrypted

    ▶ cat > secrets.yaml <<END
    password: abc123
    array: [1, 2]
    END
    ▶ cat secrets.yaml
    password: abc123
    array: [1, 2]
   

3. Encrypt it

    ▶ sops --encrypt --age age1c580yu53ytt0nv2exx44evgwzylcyvqgsnnfpnlsqclf00mg4vdqd5q0z8 \
       secrets.yaml > secrets.enc.yaml
   

4. View encrypted YAML

    ▶ cat secrets.enc.yaml
    password: ENC[AES256_GCM,data:vxU6flHc,iv:U1sHbGkidPgxKvHpGY/T0yxX6Kr7YizuTdwyk3ZeyUQ=,tag:w5bInANKnXMu42scnb7eqA==,type:str]
    array:
        - ENC[AES256_GCM,data:Ug==,iv:Nl6/5XgbFWmKaRbF2Ocw4S584dZYauvniExrn4EbZRw=,tag:be1FwF366C4yb0Zxj1/DqQ==,type:int]
        - ENC[AES256_GCM,data:sQ==,iv:cYxHg1SOjtulXxSQa8VpzimEu7b4GzYL/ovo0z23xpU=,tag:hwnoX/kWSW0/O73dkgnzkA==,type:int]
    sops:
        ... # some metadata
   

5. Decrypt and view original YAML

    ▶ SOPS_AGE_KEY_FILE=key.txt sops --decrypt secrets.enc.yaml
    password: abc123
    array:
        - 1
        - 2
   

6. (Optional) Selectively extract only certain fields

    ▶ SOPS_AGE_KEY_FILE=key.txt sops --decrypt --extract '["password"]' secrets.enc.yaml
    abc123%
   

Demo

Public anycast by thenets