We are trying to setup a repo with sane password storage and not be a big PITA to use. While it is debatable if we want to upload passwords to a git repot at all, we can all agree that we should never upload unencrypted passwords.
In these examples we'll be using sops and age to do the encryption. We wrote some bash scripts
to run as git filters such that on the local filesystem files can be decrypted
and will automatically be encrypted before being committed.
git commits and diffs should work as expected. All secrets stored in git will be encrypted, but the local copies will be in clear text if you have the right key
We admit that using Hashicorp Vault, AWS KMS, or GCP KMS would be the better way to go, but this is for a quick and dirty. Maybe next repo I do is how to set this up w/ a cloud based secrets manager.
-
git inita repo or however you want to create a repo -
Create an
agekey, and export the public-key and make sure to putage-key.txtinto.gitignoreadd public key to repo. NOTICE! This means that thesecrets/age-key.txtneeds to be distributed out of band.
$ age-keygen -o secrets/age-key.txt
$ age-keygen -y -o secrets/public-age-keys.txt secrets/age-key.txt
$ echo "secrets/age-key.txt" >> .gitignore
$ git add secrets/public-age-keys.txt
$ git commit -m "add public key to secrets/"- Copy scripts into a
bin/directory and add to repo
$ mkdir bin
$ wget https://github.com/timball/sops-test/main/bin/encrypt.sh -o bin/encrypt.sh
$ wget https://github.com/timball/sops-test/main/bin/decrypt.sh -o bin/decrypt.sh
$ chmod +x bin/*.sh
$ git add bin/*.sh
$ git commit -m "add encrypt/decrypt sops filters scripts" - add configs to git. This creates a filter named
sop. The%fallows the script to recieve the filename. This has to done to repo each time it's checked out
$ git config --local filter.sops.smudge $(pwd)/bin/decrypt.sh %f
$ git config --local filter.sops.clean $(pwd)/bin/encrypt.sh %f
$ git config --local filter.sops.required true- setup
.gitattributesfor the files that need it
$ echo 'secrets.json filter=sops' > .gitattributes
$ git add .gitattributes
$ git commit -m "add sops filter to secret.json in .gitattributes"- add files and make sure that the in-line secrets are enumerated in
secrets/secrets.regex. right now it is just one line that sops --encrypted-regex uses to decide what fields need to encrypted.
$ echo "passwd|API" > secrets/secrets.regex
$ git add secrets/secrets.regex
$ git add secrets.json
$ git commit -m "add secrets.json and update secrets.regex"🤷 https://technotim.live/posts/rotate-sops-encryption-keys/
- seems to rotate keys on a local repo that has secrets files decrypted all one has to do is create a new key and public key file
$ age-keygen -o secrets/age-key.txt
$ age-keygen -y -o secrets/public-age-keys.txt secrets/age-key.txt
$ touch <secrets file>https://github.com/getsops/sops#showing-diffs-in-cleartext-in-git
the following didn't work and is preserved for future fiddling. As is git diff will spit still useful information.
- for each file that you need a sops differ modify .gitattributes accordingly. name "sopsdiffer" is arbitrary
example.yaml diff=sopsdiffer
- set a git config for the differ
$ git config diff.sopsdiffer.textconv "sops -d"- test
$ git diff example.yamlsops can in-line encrypt secrets for ini, yaml, json, env files. All other files
will be completely encrypted.
you need to update .gitattributes w/ files you want to encrypt
you need to update secrets/secrets.regex w/ the individual regex parts you need need to encrypt
remeber that item #3 git config must be done for each checked out repo
https://blog.gitguardian.com/a-comprehensive-guide-to-sops/
- create a gnupg key w/ no password
- create a ~/.sops.yaml
- edit/encrypte whole files w/
sops <filename> - do bits of file w/
sops --encrypt --in-place --encrypted-regex 'passwd|APIKEY' example.yaml - still need to figure out how to deal w/ this at deploy time?
sops -d <file> - maybe don't use gnupg and use
ageinstead - enc and decrypt using git pre-commit hooks for push and pull to make this automagic?
WANTS:
pre-commit
if $secret-file is new than $enc-file pass $secret-file thru sop and update $enc-file
post-merge
if $enc-file is newer than $secret-file then decrypt w/ sop
git status ignores files that have .enc. versions aka if foo.enc.yaml exists then ignore example.yaml
https://technotim.live/posts/secret-encryption-sops/
https://devops.datenkollektiv.de/using-sops-with-age-and-git-like-a-pro.html