It's a common scenario where it's needed to share some keys/secrets with other members of the project team and it's also common that those keys are closely attached to some source code. SOPS allows you to do that securely using Git or other VCS.
A Git repository would be a perfect solution, but Git works in plain text, like any other VCS (Version Control Service) for source code, even when the communication channels and storage system are encrypted. That means, if someone has access to the source code, it'll also have access to all keys inside of the code.
I think the best way to learn the basics is to see this asciinema record. The entire post is only if you want to know what you're doing (which should also be important):
If you prefer to watch videos, I recommend you to skip this post and go to the video from the original SOPS creator:
How the encryption process works
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI, and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. https://github.com/mozilla/sops
We'll use SOPS in the following example with age (github.com/FiloSottile/age) as the encryption solution. SOPS will be our editor or interface to encrypt and decrypt files using age.
The following diagram represents a flow of how users can share encrypted files with a git repository:
Requirements
A secure vault. I'm using the 1password for this example.
This vault will be used to store the "age" key.
Both users must have access to the same secrets.
Steps
User 1 pushing an encrypted file
Get "age" key from 1password vault
This is a plain text key.
Encrypt files using SOPS
Commit files to your local repository
Push commit to the remote git repository (like GitHub, GitLab, etc)
User 2 pull and decrypt the previously file.
Pull commit from the remote git repository
Also, get the same "age" key from 1password vault used by "User 1"
You can use other encryption methods that could be even better for your use-case, for example, the AWS KMS if you already have an AWS account. That also allows you to use the AWS IAM to manage access to the encryption keys. SOPS is the perfect solution only when you have no other encryption method.
First, download the age binary for your system and add it to your path:
Now you have the tool to generate your encryption key:
It's not the scope of this tutorial, but I'll guide you in this simple example of how to encrypt any binary file using exclusively age. Those encrypted files can be committed to a git repository too:
How to edit yaml files using SOPS
The first will be to install SOPS just like we did with age:
Now that you have an age encryption key, let's finally start doing the main part of this post and learn how to create text files encrypted using SOPS.
Set the following file content:
Save and exit. Now check the file content again using cat ./config.yaml:
Perfect! :) now you know how to create and edit.
[extra] How to limit which var should be encrypted WIP
I am a senior software engineer at Red Hat / Ansible. I love automation tools, games, and coffee. I am also an active contributor to open-source projects on GitHub.