AGE and Google KMS edge case

Question

AGE and Google KMS edge case

Triskae opened this issue 8 months ago · 3 comments

Hello,
I think I've found an edge case. On my computer I'm working on several projects, and all of them use sops.
The problem is that not all store their keys in the same place. Some of them use AGE, others use GCP KMS.

But if I try to encrypt saying with AGE using --age param, but having SOPS_GCP_KMS_IDS env variable set, the encrypted file seems to encrypt with both keys in some way. If I look inside the encrypted file I can see that age and gcp_kms have a value.

Do you guys have the same behaviour ?
Specifying the type of encryption explicitly on the command line should override the encryption specified in the environment variable right ?
Thanks !

Answer 1 · 2024-02-02T09:43:04.000Z

Hello,
Any news guys ? Tell me if I need to clarify something

Answer 2 · 2024-02-06T07:55:43.000Z

i'm interested in this issue. However as written, it is not well understood what you are doing and experiencing. Consider rewriting this with exhibits and exact steps so that others can reproduce it. Thanks in advance!

Answer 3 · 2024-02-06T21:39:40.000Z

Hello, thanks for your answser, so let me explain a little bit more:

I work for a company that uses GCP KMS with SOPS to encrypt secrets, I have SOPS_GCP_KMS_IDS in my environement variables in order to make things work with SOPS.
I'm also a freelance, and I work for another company, and using the same machine. For this other company I'm don't using GCP KMS, I use age. I use the SOPS_AGE_KEY_FILE environment variable to make things work.

So the problem is when I try to encrypt, with age, when I open the encrypted file, I can see that the original file was encrypted with GCP KMS and Age. I can see that thanks to the age and gcp_kms array not being empty.

So the question is: Is there any way to prevent sops using both AGE and GCP KMS, any flag or something like that to disable this behaviour.

I hope it's a little bit clearer.