Secrets With SOPS
Aarushi Kansal
Posted on November 13, 2021
SOPS (Secrets OperationS) is an open source tool from Mozilla, intended to edit, encrypt, decrypt a range of different file types, such as YAML, JSON, ENV etc.
Encryption can be done in variety of ways, using major cloud providers encryption tools, PGP, and even age.
In this article, we'll focus on using AWS + KMS. A similar setup and workflow can be used for GCP and Azure as well.
Installing
Download + install one of:
More details can be found on the SOPS github repo.
Configuring
Pre-requistes for this are:
- A ready to use KMS key.
- Correctly configured AWS credentials, for example:
[default]
aws_access_key_id = <access-key-id>
aws_secret_access_key = <access-key>
[kmsuser]
aws_access_key_id = <kmsuser-access-key-id>
aws_secret_access_key = <kmsuer-access-key>
A separate kmsuser is not a requirement, but SOPS supports switching profiles, which will be discussed later on.
Next, you'll need to set up your sops configuration, which means telling sops which key to use, possibly what profile and what role to use.
Set up a .sops.yaml, locally.
Some configurations are as follows:
sops:
kms:
- arn: arn:aws:kms:ap-southeast-2:036762315531:key/46b7ee9d-d11a-4a7e-83a5-c83fe5c93e8f
This is the most basic configuration. It specifies KMS and the specific resource to use for encryption and decryption.
There is no profile or role listed, so it uses your default credentials.
sops:
kms:
- arn: arn:aws:kms:ap-southeast-2:036762315531:key/00aa1727-d895-4dc9-a10c-96ad40470a91
aws_profile: kmsuser
In some situations you'll want to define alternative credentials, so you can specify which profile to use, from your credentials file.
sops:
kms:
- arn: arn:aws:kms:ap-southeast-2:036762315531:key/00aa1727-d895-4dc9-a10c-96ad40470a91
role: arn:aws:iam::913492025681:role/sopsuser
SOPS also allows you to make use of AWS' roles feature, meaning you can use KMS from multiple accounts.
Using
Encryption:
- sops -e secrets.yaml > secrets.enc.yaml
Decryption:
- sops -d secrets.enc.yaml > secrets.yaml
Example:
Plaintext secrets:
apiVersion: v1
kind: Secret
metadata:
name: t0p-S3cret
type: Opaque
data:
password: 12345-password
Encrypted secrets:
apiVersion: ENC[AES256_GCM,data:690=,iv:GM5Rle5baQNBC4MBECfVEY9YZzAeywnHcrcclGnwAVw=,tag:xN311xVOyvqC+TXy16KNcQ==,type:str]
kind: ENC[AES256_GCM,data:PGiPB4h3,iv:t9kAkvT9u38dwqOtBAPXEcLGqBa07/Ggk4gEhO/SzSQ=,tag:4NN94br3Ut9EmB/zMjkWMw==,type:str]
metadata:
name: ENC[AES256_GCM,data:AZP+jxs5kVJQyh5ZcxROzIuuZgTsEQ==,iv:wA2OVYCQ8icb10XIRxTZu+QMILUoORrIOJmh30rmX84=,tag:VGBR8shJQ8x7RQY0R5fMqQ==,type:str]
type: ENC[AES256_GCM,data:fqP1lGtK,iv:bzhdcaZ1WyJpgy4v3Q2MS0J6q3XNLRtC2qbdWHkoqtk=,tag:dGbR3gWt54lnRRIYtq7i9w==,type:str]
data:
password: ENC[AES256_GCM,data:ihVGHIa/SqDxC64wzFRvtFcKtk3WPmpjIWUh3HxCo60=,iv:gcxL6u2JNh+T7lXb5VbfZS9aKun8ZOAK+X93uJ4Vd6M=,tag:/y5UTFa3mIiAaV6RPif9mQ==,type:str]
sops:
kms:
- arn: arn:aws:kms:ap-southeast-2:036762315531:key/46b7ee9d-d11a-4a7e-83a5-c83fe5c93e8f
created_at: "2021-11-12T06:28:22Z"
enc: AQICAHguJRDZ0cg53Sh5Mus9w8WLD236AYz81m6wFTHAa6ObgQFSNXL+AHX+kn+akWNtP7aQAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMKaUlIgOrUMmOA/LzAgEQgDs62h0/zahsnr+4z1trkI+Euk5WkWqkQBnBh3KijqPEJJnKnPE9v41vSGJLbfeI8QOruvR6YwU2V3G7LQ==
aws_profile: kmsuser
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-11-12T06:28:23Z"
mac: ENC[AES256_GCM,data:Lwo28isqP6hA2nxjXDTnkglZjj8Ip1+W+erYlV/dq7r7YoJWAE+vFbWdiKIm4wE7bhSsoNQiIFGbQVqRx7VoGjwAE8A//0BCfrd7i5dTS5+/c0BOiLLrpNSqdTxRiNTUMGcvvWWnmkf+uBmMN/pOhyXwhdB+z9h0ST6Y3rR+zHE=,iv:l01KhN0a6BeoIIn45lbUamNKBNWX2eTMo7ToA2OsF/I=,tag:jfuPs6lS913B7Yb0jMjefA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1
As you can see here, we have a regular secrets manifest, which is encrypted and can then be checked in or shared freely.
SOPS encrypts all the values, not just secrets, specifies metadata such as profile and kms key used.
CI
There are a number of ways to use sops encrypted secrets in your CI workflow.
The most basic way is to install sops, decrypt and apply the decrypted file to your cluster.
For example:
sops -d secrets.enc.yaml | kubectl apply -f -
However, it's most like you're using some kind of manifest management tool and will want secrets to work within that ecosystem. To achieve this there are some wrappers for sops:
Final thoughts
SOPS is a great tool to get started with a GitOps style of secret management. However, there are some consideration you should take into account before committing to this solution:
- Key rotation
- Lack of control over who can see secrets once in the cluster
- Scalability for large teams, or a large number of secrets
Posted on November 13, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 14, 2024