Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla S...
source link: https://techno-tim.github.io/posts/secret-encryuption-sops/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE
Committing secrets to your Git Repo can expose information like passwords, access tokens, and other types of sensitive information. Some might think that committing secrets to a private Git Repo is OK, but I am here to tell you it’s not. If you’re going to commit secrets to a git repo, private or public, you should encrypt them first using Mozilla SOPS (Secret Operations) and AGE. SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. Age is a simple, modern, and secure file encryption tool, format, and build using Go. It can encrypt and decrypt your files making then safe enough to commit to your Git repos!
A HUGE thanks to Datree for sponsoring this video!
Combat misconfigurations. Empower engineers. https://www.datree.io
Install SOPS
https://github.com/mozilla/sops
from releases page
https://github.com/mozilla/sops/releases
wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops_3.7.3_amd64.deb
sudo dpkg -i ./sops_3.7.3_amd64.deb
rm ./sops_3.7.3_amd64.deb
test with
sops -v
should see
sops 3.7.3 (latest)
Install Age
https://github.com/FiloSottile/age
sudo apt install age
or the manual way
get the file
wget -O age.tar.gz https://github.com/FiloSottile/age/releases/download/v1.0.0/age-v1.0.0-linux-amd64.tar.gz
extract and move
tar xf age.tar.gz
sudo mv age/age /usr/local/bin
sudo mv age/age-keygen /usr/local/bin
clean up
rm -rm age
rm age.tar.gz
test age
with
age -version
should see
v1.0.0
test age-keygen
with
age-keygen -version
should see
v1.0.0
configure keys
Now that we have age
installed we need to create a public and private key
age-keygen -o key.txt
should see
age-keygen: warning: writing secret key to a world-readable file
Public key: age1epzmwwzw8n09slh0c7z0z52x43nnga7lkksx3qrh07tqz5v7lcys45428t
let’s look at the contents
cat key.txt
should see
# created: 2022-09-26T21:55:47-05:00
# public key: age1epzmwwzw8n09slh0c7z0z52x43nnga7lkksx3qrh07tqz5v7lcys45428t
AGE-SECRET-KEY-1HJCRJVK7EE3A5N8CRP8YSDUGZKNW90Y5UR2RGYAS8L279LFP6LCQU5ADNR
Remember this is a secret so keep this safe! Do not commit this!
move the file and add to our shell
mkdir ~/.sops
mv ./key.txt ~/.sops
add it to our shell
nano ~/.zshrc
# or nano ~/.bashrc
add to the end of file
export SOPS_AGE_KEY_FILE=$HOME/.sops/key.txt
source our shell
source ~/.zshrc
# or source ~/.bashrc
Now! Let’s encrypt
A few ways you can do this. You can encrypt in place or encrypt with an editor but we’re going to do an in place encryption.
This can be kubernetes secrets, helm values, or just plain old yaml
create a secret with the following contents
secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
namespace: default
stringData:
MYSQL_USER: root
MYSQL_PASSWORD: super-Secret-Password!!!!
to encrypt
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml
to decrypt
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml
Kubernetes
If you want to decrypt this secret on the fly and apply to kubernetes
encrypt first
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml
decrypt and pipe to kubectl
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' ./secret.yaml | kubectl apply -f -
check it with
k describe secrets mysql-secret-test
kubectl get secret mysql-secret-test -o jsonpath='{.data}'
kubectl get secret mysql-secret-test -o jsonpath='{.data.MYSQL_PASSWORD}' | base64 --decode
VSCode
install vscode extension
choose the beta for sops because that supports age + sops
don’t forget to add .decrypted~secret.yaml
to .gitignore
encrypt .env files
make sure extension is installed
.ENV Files
create
secret.env
MYSQL_USER=superroot
MYSQL_PASSWORD="super-Secret-Password!!!!############"
encrypt
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i .env
decrypt
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i .env
don’t forget to add .decrypted~secret.env
to your .gitignore
JSON Files
secret.json
{
"mySqlUser": "superroot",
"password": "super-Secret-Password!!!!#######"
}
encrypt
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.json
decrypt
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.json
don’t forget to add .decrypted~secret.json
to your .gitignore
INI Files
secret.ini
[database]
user = superroot
password = super-Secret-Password!!!!1223
encrypt
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.ini
decrypt
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.ini
don’t forget to add .decrypted~secret.ini
to you .gitignore
Files
secret.sql
--- https://xkcd.com/327/
--- DO NOT USE
INSERT INTO Students VALUES ( 'Robert' ); DROP TABLE STUDENTS; --' )
encrypt
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --in-place ./secret.sql
decrypt
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --in-place ./secret.sql
If you’re thinking of doing GitOps with Flux, you can check out my video on this topic or see my documentation. You can do cluster decryption and fully automate decryption of secrets.
In cluster decryption with Flux
https://fluxcd.io/flux/guides/mozilla-sops/#configure-in-cluster-secrets-decryption
Links
⚙️ See all the hardware I recommend at https://l.technotim.live/gear
🚀 Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK