Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow age decryption directly from environment variable #946

Closed
wants to merge 1 commit into from
Closed

Allow age decryption directly from environment variable #946

wants to merge 1 commit into from

Conversation

rnijveld
Copy link

@rnijveld rnijveld commented Oct 7, 2021

One of the things we noticed when using age for encryption/decryption is that the current sops implementation requires us to first store the private key on disk before we can decrypt secrets. Unfortunately with modern file systems and on SSDs we cannot ensure that the secret key data is fully removed if it was ever on disk.

This pull request adds some code that allows specifying the contents of the age keyfile as an environment variable, thus preventing secret keys from ever having to be stored on disk.

@p0bailey
Copy link

p0bailey commented Dec 6, 2021
edited

I would love this feature, especially when it comes to automation. Having the secret key exposed as an environment variable would simplify the workflow and especially won't leave the key.txt file hanging around. Great stuff @rnijveld rnijveld

env:
  SOPS_SECRET_KEY: ${{ secrets.sops_secret_key }}

For the records, I have compiled a sops custom version with Ruben's code and it works like a charm.

@p0bailey
Copy link

p0bailey commented Dec 7, 2021

Hi @rnijveld
your patch works fine within sops itself opening an encrypted file ( sops secrets.yaml ) where SOPS_AGE_KEY is exported as env variable as shown below.

export SOPS_AGE_KEY="AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

However, when I use sops terraform provider https://github.com/carlpett/terraform-provider-sops the process fails
to read the same secrets.yaml file. Quite surprisingly it works using export SOPS_AGE_KEY_FILE="${PWD}/key.txt"

│ Error: Error getting data key: 0 successful groups required, got 0

│ with data.sops_file.secrets,
│ on locals.tf line 2, in data "sops_file" "secrets":
│ 2: data "sops_file" "secrets" {

I hope my feedback will help others struggling with the same problem.

Phillip

@p0bailey p0bailey mentioned this pull request Dec 8, 2021
Closed
@ajvb
Copy link
Contributor

ajvb commented Mar 1, 2022

This was resolved with #1006. Thank you though!

@ajvb ajvb closed this Mar 1, 2022
@p0bailey
Copy link

p0bailey commented Mar 2, 2022

Thanks,

great stuff, really appreciated.

Phillip

@p0bailey
Copy link

p0bailey commented Mar 2, 2022

Hi @ajvb

any plans when this would be merged into master ?

Phillip

@felixfontein
Copy link
Contributor

develop is merged into master when a release is made.

@p0bailey
Copy link

p0bailey commented Mar 2, 2022

Thanks @felixfontein

any plans for a new release?

Phillip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rnijveld @p0bailey @ajvb @felixfontein