= Security Mozilla Sops Secrets =
* https://github.com/mozilla/sops
* Encrypts json/yaml values.
== Install 2022 ==
* on Mac install sops {{{
brew install sops
# And helm for k8s if needed
brew install helm
}}}
* install helm secrets plugin that uses sops {{{
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0
}}}
* example config {{{
$ cat .sops.yaml
# Note - script for key rotation k8sAzure/az-cli-helm-secret-rotate.sh
# Note: get latest with $ AZ_KEY="helm-cust1-prd"; az keyvault key list-versions --id https://${AZ_KEY}.vault.azure.net/keys/${AZ_KEY} --query "[0].kid"
creation_rules:
- path_regex: env/(cust1|cust).*/(uat|prd)/secrets.yaml(.dec)?$
encrypted_regex: '^(password|.*key)$'
azure_keyvault: "https://helm-cust1-prd.vault.azure.net/keys/helm-cust1-prd/610aa30aa00b4184a07fa9cbb23463ef"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
- path_regex: env/cust2.*/(uat|prd)/secrets.yaml(.dec)?$
azure_keyvault: "https://helm-cust2-prd.vault.azure.net/keys/helm-cust2-prd/bb24f66d53f04827915c5b79f3e75a97"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
- path_regex: env/cust3.*/(uat|prd)/secrets.yaml(.dec)?$
azure_keyvault: "https://helm-cust3-prd.vault.azure.net/keys/helm-cust3-prd/750724205e5348d89e04b66b11651141"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
- path_regex: env/cust4.*/(uat|prd)/secrets.yaml(.dec)?$
azure_keyvault: "https://helm-cust4-prd.vault.azure.net/keys/helm-cust4-prd/ecca09fae61c45bf8ec1e14fee839b0c"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
- path_regex: env/cust5.*/(uat|prd)/secrets.yaml(.dec)?$
azure_keyvault: "https://helm-cust5-prd.vault.azure.net/keys/helm-cust5-prd/112647eb61f04d199c69c776a8597965"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
# All dev tst uat
- path_regex: secrets.yaml|env/.*/(dev|tst)/secrets.yaml(.dec)?$
azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev/f8b2253f9af2407f8f870052ff2b233f"
pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
# # Default catch all -filename_regex, or -path_regex with encrypted_regex
# - azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev-nomatch/2532969fce7f46aab72a767e854ad9e4"
# pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
# encrypted_regex: ".*_secret|.*password|.*pin"
#The END
}}}
* Script to rotate keys helm-rotate.sh {{{
#!bash
#!/bin/bash
echo "Decrypt and re-encrypt files ..."
gitroot=$(git rev-parse --show-toplevel)
for f in $(grep -irnl "sops-\|helm-" $gitroot/* | grep "yaml");
do
echo "f=$f"
grep -n "sops-\|helm-\|vault.azure.net" $f
helm secrets dec $f
helm secrets enc $f
rm $f.dec
echo
done
}}}
== Example bash to encrypt and decrypt sops in script ==
* function to decrypt and cleanup {{{
sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; }
sopsfiles=""
#$name/files/config-$env/config-$env-sensitive-sops.json"
#
function sigexit_capture() {
echo "# === TRAP EXIT sigexit cleanup. ==="
for f in ${sopsfiles}; do
if [ -f "${f}.dec" ]; then
echo "delete sops file ${f}.dec"
rm "${f}.dec"
else
if [ -f "${f}" ]; then
echo "skipped missing file ${f}.dec"
else
echo "bug ? file ${f} does not exist."
fi
fi
done
echo "Good bye."
}
function sops_decrypt_files() {
for f in ${sopsfiles}; do
if [ -f "${f}" ]; then
if [ -f "${f}.dec" ]; then
echo "sops decrypt skip ${f} found .dec"
else
echo "sops decrypt to ${f}.dec"
sops --decrypt "${f}" > "${f}.dec"
fi
else
echo "sops decrypt error missing ${f}"
exit 1
fi
done
}
#
## Start script
sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; }}}}
echo "The End."
# trap will cleanup.
----
CategorySecurity