What is Sops?
The official description is pretty and precise and is:
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
More simply it can help you to store sensitive data in a git repository in a secure way.
Requirements
In this tutorial, we’ll use Linux and GPG, but don’t worry if you’re on a different operating system. You can find similar or equivalent tools to accomplish the same tasks.
- Sops binary, you can get it from https://github.com/getsops/sops/releases
- Git tool
- GNU Privacy Guard (GPG)
Short Version
- (Optional) Generate a new GPG key:
gpg --full-generate-key
- Get the GPG fingerprint ID
gpg --list-keys
- Create the
.sops.yaml
in the repository with the GPG fingerprint ID for each stakeholder like below:
creation_rules:
- pgp: 'E9336A338A5FDDED2D1CAECDEA3AC6C7D1722308'
- Encrypt the file using SOPS like below
sops -i -e filename_to_encrypt
Long Story
First of all, you need a PGP key to encrypt/decrypt the data and you need the fingerprint for each team member or tool. If you already have it, you don’t need to generate a new one.
(Optional) Generate PGP Key
In case you want to generate it, you can do that using this command below:
gpg --full-generate-key
While there are a few options, I recommend sticking with RSA for its balance of security and compatibility.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1 <---- Select 1
You have the flexibility to choose any key bit size you prefer. That said, I recommend going with 4096 bits for optimal security.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096 <---- Insert 4096
Please select your desired expiration date from the options below.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for?
Provide your complete name, the email address associated with your GitHub account, and a short note about what this key is for.
Real name: <YOUR NAME OR THE ACCOUNT NAME>
Email address: <YOUR EMAIL>
Comment: <A PERSONAL COMMENT FOR THIS KEY>
Next, you’ll be prompted to confirm the key generation. Before you type the key to confirm, create a strong password/passphrase for your key.
Get PGP Fingerprint
You need to get the PGP fingerprint, you can get it using:
gpg --list-keys
It will printed after the second line for each key, below is an example:
Collect the fingerprints of each stakeholder that can be decrypted and encrypt the data.
Please keep in mind: how encrypting the data needs the public key for each stakeholder, you can import it using:
pgp --import ...
Create Sops Configuration
Jump into the git repository and create the sops configuration.
More specifically you need to create a file named .sops.yaml
in the project root directory.
Create a file with this content, like:
creation_rules:
- pgp: >-
E9336A338A5FDDED2D1CAECDEA3AC6C7D1722308,
A....
Insert all the fingerprints for each stakeholder.
Encrypt and decrypt data
You can encrypt the data using this command below:
sops --in-place --encrypt <file path>
The content will be transformed into a YAML.
Below is a quick example of the content:
To decrypt the data you can use the command:
sops --in-place --decrypt <file path>
For more information, configuration, and documentation you can find https://github.com/getsops/sops/.