Security Mozilla Sops Secrets

• https://github.com/mozilla/sops

• Encrypts json/yaml values.

Install 2022

• on Mac install sops

  brew install sops
  
  # And helm for k8s if needed
  brew install helm

• install helm secrets plugin that uses sops

  helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0

• example config

  $ cat .sops.yaml 
  # Note - script for key rotation k8sAzure/az-cli-helm-secret-rotate.sh
  # Note: get latest with $ AZ_KEY="helm-cust1-prd"; az keyvault key list-versions --id https://${AZ_KEY}.vault.azure.net/keys/${AZ_KEY} --query "[0].kid"
  creation_rules:
  
    - path_regex: env/(cust1|cust).*/(uat|prd)/secrets.yaml(.dec)?$
      encrypted_regex: '^(password|.*key)$'
      azure_keyvault: "https://helm-cust1-prd.vault.azure.net/keys/helm-cust1-prd/610aa30aa00b4184a07fa9cbb23463ef"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    - path_regex: env/cust2.*/(uat|prd)/secrets.yaml(.dec)?$
      azure_keyvault: "https://helm-cust2-prd.vault.azure.net/keys/helm-cust2-prd/bb24f66d53f04827915c5b79f3e75a97"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    - path_regex: env/cust3.*/(uat|prd)/secrets.yaml(.dec)?$
      azure_keyvault: "https://helm-cust3-prd.vault.azure.net/keys/helm-cust3-prd/750724205e5348d89e04b66b11651141"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    - path_regex: env/cust4.*/(uat|prd)/secrets.yaml(.dec)?$
      azure_keyvault: "https://helm-cust4-prd.vault.azure.net/keys/helm-cust4-prd/ecca09fae61c45bf8ec1e14fee839b0c"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    - path_regex: env/cust5.*/(uat|prd)/secrets.yaml(.dec)?$
      azure_keyvault: "https://helm-cust5-prd.vault.azure.net/keys/helm-cust5-prd/112647eb61f04d199c69c776a8597965"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    # All dev tst uat
    - path_regex: secrets.yaml|env/.*/(dev|tst)/secrets.yaml(.dec)?$
      azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev/f8b2253f9af2407f8f870052ff2b233f"
      pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
  
    # # Default catch all -filename_regex, or -path_regex with encrypted_regex
    # - azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev-nomatch/2532969fce7f46aab72a767e854ad9e4"
    #   pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67"
    #   encrypted_regex: ".*_secret|.*password|.*pin"
  
  
  #The END

• Script to rotate keys helm-rotate.sh

  #!/bin/bash
  echo "Decrypt and re-encrypt files ..."
  gitroot=$(git rev-parse --show-toplevel)
  for f in $(grep -irnl "sops-\|helm-" $gitroot/* | grep "yaml");
  do
  
  echo "f=$f"
  grep -n "sops-\|helm-\|vault.azure.net" $f
  helm secrets dec $f
  helm secrets enc $f
  rm $f.dec
  echo
  
  done

Example bash to encrypt and decrypt sops in script

• function to decrypt and cleanup {{{!bash

sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; } sopsfiles="" #$name/files/config-$env/config-$env-sensitive-sops.json" # function sigexit_capture() {

• echo "# === TRAP EXIT sigexit cleanup. ==="
  • for f in ${sopsfiles}; do
    • if [ -f "${f}.dec" ]; then
      • echo "delete sops file ${f}.dec" rm "${f}.dec"
      else
      • if [ -f "${f}" ]; then
        • echo "skipped missing file ${f}.dec"
        else
        • echo "bug ? file ${f} does not exist."
        fi
      fi
    done

• echo "Good bye."

} function sops_decrypt_files() {

• for f in ${sopsfiles}; do
  • if [ -f "${f}" ]; then
    • if [ -f "${f}.dec" ]; then
      • echo "sops decrypt skip ${f} found .dec"
      else
      • echo "sops decrypt to ${f}.dec"

        sops --decrypt "${f}" > "${f}.dec"

      fi
    else
    • echo "sops decrypt error missing ${f}" exit 1
    fi
  done

} #

sops_decrypt_files || { echo "# 🛑 Error sops_decrypt_files"; exit 1; }}}}

echo "The End." # trap will cleanup.

CategorySecurity