SOPS and GPG
December 3, 2020•1,128 words
SOPS is a tool used to facilitate the encryption/decryption operation on files and it support all major cloud providers tools and also GPG.
Prerequisites
- GPG Project site
- SOPS Project site
How to use it
First thing first let's create a new gpg key (skip this steps if you already have one):
gpg --full-generate-key command will ask you some questions, just keep the defaults and go on.
After the key has been generated take the fingerprint and pass it as argument of sops:
sops -pgp [your fingerprint] pgpfile.yaml
SOPS man
NAME:
sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault and GPG support
USAGE:
sops is an editor of encrypted files that supports AWS KMS and PGP
To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
in the -k flag or in the SOPS_KMS_ARN environment variable.
(you need valid credentials in ~/.aws/credentials or in your env)
To encrypt or decrypt a document with GCP KMS, specify the
GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
environment variable.
(you need to setup google application default credentials. See
https://developers.google.com/identity/protocols/application-default-credentials)
To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev
where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
environment variable.
(you need to enable the Transit Secrets Engine in Vault. See
https://www.vaultproject.io/docs/secrets/transit/index.html)
To encrypt or decrypt a document with Azure Key Vault, specify the
Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
environment variable.
(authentication is based on environment variables, see
https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
The user/sp needs the key/encrypt and key/decrypt permissions)
To encrypt or decrypt using PGP, specify the PGP fingerprint in the
-p flag or in the SOPS_PGP_FP environment variable.
To use multiple KMS or PGP keys, separate them by commas. For example:
$ sops -p "10F2...0A, 85D...B3F21" file.yaml
The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
or decrypting existing documents can be done with "sops file" or
"sops -d file" respectively. The KMS and PGP keys listed in the encrypted
documents are used then. To manage master keys in existing documents, use
the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
To select a different editor than the default (vim), set EDITOR.
For more information, see the README at github.com/mozilla/sops
VERSION:
3.6.1
AUTHORS:
AJ Bahnken <ajvb@mozilla.com>
Adrian Utrilla <adrianutrilla@gmail.com>
Julien Vehent <jvehent@mozilla.com>
COMMANDS:
exec-env execute a command with decrypted values inserted into the environment
exec-file execute a command with the decrypted contents as a temporary file
publish Publish sops file or directory to a configured destination
keyservice start a SOPS key service server
groups modify the groups on a SOPS file
updatekeys update the keys of a SOPS file using the config file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--decrypt, -d decrypt a file and output the result to stdout
--encrypt, -e encrypt a file and output the result to stdout
--rotate, -r generate a new data encryption key and reencrypt all values with the new key
--kms value, -k value comma separated list of KMS ARNs [$SOPS_KMS_ARN]
--aws-profile value The AWS profile to use for requests to AWS
--gcp-kms value comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
--azure-kv value comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
--hc-vault-transit value comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
--pgp value, -p value comma separated list of PGP fingerprints [$SOPS_PGP_FP]
--in-place, -i write output back to the same file instead of stdout
--extract value extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '["somekey"][0]'
--input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type
--output-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format
--show-master-keys, -s display master encryption keys in the file during editing
--add-gcp-kms value add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file
--rm-gcp-kms value remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file
--add-azure-kv value add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file
--rm-azure-kv value remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file
--add-kms value add the provided comma-separated list of KMS ARNs to the list of master keys on the given file
--rm-kms value remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file
--add-hc-vault-transit value add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--rm-hc-vault-transit value remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--add-pgp value add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file
--rm-pgp value remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file
--ignore-mac ignore Message Authentication Code during decryption
--unencrypted-suffix value override the unencrypted key suffix.
--encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.
--unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.
--encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
--config value path to sops' config file. If set, sops will not search for the config file recursively.
--encryption-context value comma separated list of KMS encryption context key:value pairs
--set value set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
--shamir-secret-sharing-threshold value the number of master keys required to retrieve the data key with shamir (default: 0)
--verbose Enable verbose logging output
--output value Save the output after encryption or decryption to the file specified
--enable-local-keyservice use local key service
--keyservice value Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000
--help, -h show help
--version, -v print the version