= Security Mozilla Sops Secrets = * https://github.com/mozilla/sops * Encrypts json/yaml values. == Install 2022 == * on Mac install sops {{{ brew install sops # And helm for k8s if needed brew install helm }}} * install helm secrets plugin that uses sops {{{ helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0 }}} * example config {{{ $ cat .sops.yaml # Note - script for key rotation k8sAzure/az-cli-helm-secret-rotate.sh # Note: get latest with $ AZ_KEY="helm-cust1-prd"; az keyvault key list-versions --id https://${AZ_KEY}.vault.azure.net/keys/${AZ_KEY} --query "[0].kid" creation_rules: - path_regex: env/(cust1|cust).*/(uat|prd)/secrets.yaml(.dec)?$ encrypted_regex: '^(password|.*key)$' azure_keyvault: "https://helm-cust1-prd.vault.azure.net/keys/helm-cust1-prd/610aa30aa00b4184a07fa9cbb23463ef" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust2.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust2-prd.vault.azure.net/keys/helm-cust2-prd/bb24f66d53f04827915c5b79f3e75a97" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust3.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust3-prd.vault.azure.net/keys/helm-cust3-prd/750724205e5348d89e04b66b11651141" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust4.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust4-prd.vault.azure.net/keys/helm-cust4-prd/ecca09fae61c45bf8ec1e14fee839b0c" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust5.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust5-prd.vault.azure.net/keys/helm-cust5-prd/112647eb61f04d199c69c776a8597965" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # All dev tst uat - path_regex: secrets.yaml|env/.*/(dev|tst)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev/f8b2253f9af2407f8f870052ff2b233f" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # # Default catch all -filename_regex, or -path_regex with encrypted_regex # - azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev-nomatch/2532969fce7f46aab72a767e854ad9e4" # pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # encrypted_regex: ".*_secret|.*password|.*pin" #The END }}} * Script to rotate keys helm-rotate.sh {{{ #!bash #!/bin/bash echo "Decrypt and re-encrypt files ..." gitroot=$(git rev-parse --show-toplevel) for f in $(grep -irnl "sops-\|helm-" $gitroot/* | grep "yaml"); do echo "f=$f" grep -n "sops-\|helm-\|vault.azure.net" $f helm secrets dec $f helm secrets enc $f rm $f.dec echo done }}} == Example bash to encrypt and decrypt sops in script == * function to decrypt and cleanup {{{ sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; } sopsfiles="" #$name/files/config-$env/config-$env-sensitive-sops.json" # function sigexit_capture() { echo "# === TRAP EXIT sigexit cleanup. ===" for f in ${sopsfiles}; do if [ -f "${f}.dec" ]; then echo "delete sops file ${f}.dec" rm "${f}.dec" else if [ -f "${f}" ]; then echo "skipped missing file ${f}.dec" else echo "bug ? file ${f} does not exist." fi fi done echo "Good bye." } function sops_decrypt_files() { for f in ${sopsfiles}; do if [ -f "${f}" ]; then if [ -f "${f}.dec" ]; then echo "sops decrypt skip ${f} found .dec" else echo "sops decrypt to ${f}.dec" sops --decrypt "${f}" > "${f}.dec" fi else echo "sops decrypt error missing ${f}" exit 1 fi done } # ## Start script sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; }}}} echo "The End." # trap will cleanup. ---- CategorySecurity