sops-demo: A Python repository from gmanchon

install

brew install sops age

setup

customise editor

export EDITOR="code --wait"
export EDITOR="/Applications/Sublime\ Text.app/Contents/SharedSupport/bin/subl --wait"

local age key

create local age key

age-keygen -o key.txt

export sops environment variable for the age key

export SOPS_AGE_KEY_FILE=key.txt

gcp kms key

activate kms api

gcloud services enable cloudkms.googleapis.com

create key ring

gcloud kms keyrings create cursor-keyring --location global

create encryption key for sops

gcloud kms keys create cursor-key --location=global --keyring=cursor-keyring --purpose=encryption

list keys

gcloud kms keys list --keyring=cursor-keyring --location=global

encryption rules

.sops.yaml is used to configure sops to use both the local age key and the gcp kms key for encryption

creation_rules:
  - path_regex: \.(secrets|creds)\.yml$
    gcp_kms: projects/xxx/locations/global/keyRings/xxx/cryptoKeys/cursor-key
    age: age1xxx

currently:

.creds.yml is encrypted with both the gcp kms key and the age key
.secrets.yml is encrypted with the gcp kms key only

tests after removing the key from gcp kms

.creds.yml is still able to be decrypted with the local age key

sops -d .creds.yml  # succeeds
sops -d --age "$(cat key.txt)" .creds.yml  # succeeds

.secrets.yml is no longer able to be decrypted because it requires the gcp kms key

sops -d .secrets.yml  # fails
sops -d --gcp-kms cursor-keyring/global/cursor-key .secrets.yml  # fails

usage

encrypt secrets

sops -e .secrets.yml

edit secrets

sops .secrets.yml

gmanchon/sops-demo