5

Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla S...

 1 year ago
source link: https://techno-tim.github.io/posts/secret-encryuption-sops/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

Posted a day ago Updated a day ago 4 min read

Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

Committing secrets to your Git Repo can expose information like passwords, access tokens, and other types of sensitive information. Some might think that committing secrets to a private Git Repo is OK, but I am here to tell you it’s not. If you’re going to commit secrets to a git repo, private or public, you should encrypt them first using Mozilla SOPS (Secret Operations) and AGE. SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. Age is a simple, modern, and secure file encryption tool, format, and build using Go. It can encrypt and decrypt your files making then safe enough to commit to your Git repos!

A HUGE thanks to Datree for sponsoring this video!
Combat misconfigurations. Empower engineers. https://www.datree.io

📺 Watch Video

Install SOPS

https://github.com/mozilla/sops

from releases page

https://github.com/mozilla/sops/releases

wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops_3.7.3_amd64.deb
sudo dpkg -i ./sops_3.7.3_amd64.deb
rm ./sops_3.7.3_amd64.deb

test with

sops -v

should see

sops 3.7.3 (latest)

Install Age

https://github.com/FiloSottile/age

sudo apt install age

or the manual way

get the file

wget -O age.tar.gz https://github.com/FiloSottile/age/releases/download/v1.0.0/age-v1.0.0-linux-amd64.tar.gz

extract and move

tar xf age.tar.gz
sudo mv age/age /usr/local/bin
sudo mv age/age-keygen /usr/local/bin

clean up

rm -rm age
rm age.tar.gz

test age with

 age -version

should see

v1.0.0

test age-keygen with

 age-keygen -version

should see

v1.0.0

configure keys

Now that we have age installed we need to create a public and private key

age-keygen -o key.txt

should see

age-keygen: warning: writing secret key to a world-readable file
Public key: age1epzmwwzw8n09slh0c7z0z52x43nnga7lkksx3qrh07tqz5v7lcys45428t

let’s look at the contents

cat key.txt

should see

# created: 2022-09-26T21:55:47-05:00
# public key: age1epzmwwzw8n09slh0c7z0z52x43nnga7lkksx3qrh07tqz5v7lcys45428t
AGE-SECRET-KEY-1HJCRJVK7EE3A5N8CRP8YSDUGZKNW90Y5UR2RGYAS8L279LFP6LCQU5ADNR

Remember this is a secret so keep this safe! Do not commit this!

move the file and add to our shell

mkdir ~/.sops
mv ./key.txt ~/.sops

add it to our shell

nano ~/.zshrc 
# or nano ~/.bashrc

add to the end of file

export SOPS_AGE_KEY_FILE=$HOME/.sops/key.txt

source our shell

source ~/.zshrc 
# or source ~/.bashrc

Now! Let’s encrypt

A few ways you can do this. You can encrypt in place or encrypt with an editor but we’re going to do an in place encryption.

This can be kubernetes secrets, helm values, or just plain old yaml

create a secret with the following contents

secret.yaml

---
apiVersion: v1
kind: Secret
metadata:
    name: mysql-secret
    namespace: default
stringData:
    MYSQL_USER: root
    MYSQL_PASSWORD: super-Secret-Password!!!!

to encrypt

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

to decrypt

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

Kubernetes

If you want to decrypt this secret on the fly and apply to kubernetes

encrypt first

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

decrypt and pipe to kubectl

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' ./secret.yaml | kubectl apply -f -

check it with

k describe secrets mysql-secret-test

 kubectl get secret mysql-secret-test -o jsonpath='{.data}'

kubectl get secret mysql-secret-test -o jsonpath='{.data.MYSQL_PASSWORD}'  | base64 --decode

VSCode

install vscode extension

choose the beta for sops because that supports age + sops

don’t forget to add .decrypted~secret.yaml to .gitignore

encrypt .env files

make sure extension is installed

.ENV Files

create

secret.env

MYSQL_USER=superroot
MYSQL_PASSWORD="super-Secret-Password!!!!############"

encrypt

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i .env

decrypt

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i .env

don’t forget to add .decrypted~secret.env to your .gitignore

JSON Files

secret.json

{
    "mySqlUser": "superroot",
    "password": "super-Secret-Password!!!!#######"
}

encrypt

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.json

decrypt

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.json

don’t forget to add .decrypted~secret.json to your .gitignore

INI Files

secret.ini

[database]
user     = superroot
password = super-Secret-Password!!!!1223

encrypt

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.ini

decrypt

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") -i secret.ini

don’t forget to add .decrypted~secret.ini to you .gitignore

Files

secret.sql

--- https://xkcd.com/327/
--- DO NOT USE
INSERT INTO Students VALUES ( 'Robert' );  DROP TABLE STUDENTS; --' )

encrypt

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --in-place ./secret.sql

decrypt

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --in-place ./secret.sql

If you’re thinking of doing GitOps with Flux, you can check out my video on this topic or see my documentation. You can do cluster decryption and fully automate decryption of secrets.

In cluster decryption with Flux

https://fluxcd.io/flux/guides/mozilla-sops/#configure-in-cluster-secrets-decryption

Links

⚙️ See all the hardware I recommend at https://l.technotim.live/gear

🚀 Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK