SOPS mac_only_encrypted
cdvv7788 opened this issue · 3 comments
cdvv7788 commented
I am trying to setup my .sops.yaml
file to ignore unencrypted data.
Currently I am trying:
creation_rules:
- path_regex: .*test\.yaml$
encrypted_regex: "^(secret)$"
mac_only_encrypted: true
key_groups:
whatever
I am using that option based on what I found here https://github.com/getsops/sops/blob/main/config/config.go#L151
I can encrypt normally, but changing a value that is not encrypted is returning:
MAC mismatch. File has D9B9748797E046490BC4432DC40AB4A38750817647769079D1693B9FD8D26D14DF9852184707094D6A4F5DA6921271D10F291E457A7B0141894F75A641C1DE85, computed 33FCF2BAFEE86F970579A5B10C3B06A9930B114361C0ACAA2711BF68AB332583CC3BC0BB196C0E6ABE41F38FE1E508C777382E9F6D740F6CFF83EC47D89C96AB
Is this an example of bad usage? In that case, can you please document the proper usage?
To reproduce using sops==3.8.1
:
- Create a test file named
test.yaml
:
public:
test: this
secret:
test: shhh
- Encrypt the file in place with
sops -e -i test.yaml
public:
test: this
secret:
test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
age:
- recipient: <age_public_key>
enc: ...
lastmodified: "2024-05-21T15:21:04Z"
mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
pgp: []
encrypted_regex: ^(secret)$
version: 3.8.1
- Modify the public value that is not encrypted:
public:
test: this-is-new
secret:
test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
age:
- recipient: <age_public_key>
enc: ...
lastmodified: "2024-05-21T15:21:04Z"
mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
pgp: []
encrypted_regex: ^(secret)$
version: 3.8.1
- Try to decrypt using
sops -d test.yaml
and get the error:
MAC mismatch. File has 53D78D70FFC24EA217D3A1723A63507683FD8B5EECF667E4EB102B9BCF61E91D1F7C015C841ABB0645ABA2CE9AB20AE13EA544F31C75285C87A8F81F7790A8E5, computed 55578626998F8FDFF9EDC8504E2D096C9A025219056271BA1D24865F0284205179840D918521ADAD61E3A3DB3B7C2D9970E6B2526289726B919CDBEAC6944336
felixfontein commented
Please note that mac_only_encrypted
only exists on the main
branch, but not in a released version so far.
CC @getsops/maintainers
cdvv7788 commented
🤦 I didn't check that. The .sops.yaml
file options are mostly undocumented explicitly, so I just assumed this was the case. My bad.