@sylvain_metayer
Où persister la valeur des secrets ?
Installation avec asdf[1]
Depuis 2016
Outil auto-suffisant
Types de fichiers : yaml, json, ini, .env
password: a secure password for DevoxxFR !
password: ENC[AES256_GCM,data:vv0VXbgir3gJtT9YOoVhnT95N5+KRHuYpoOfdQYGLdk=,iv:XtbwtPMpH4DlnMfjR4T/4/f9beYsQm5pD3ILNZhoePw=,tag:a3Z4HV7+PmmFBVfOSvmjxw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16rspnzt6j2qxa2587t6umh9qykrqu2amrr0hx9xt2z7elyky3a3q4p5s7l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU3JTUi95ZW1ZS0FsRUt6
dklXOWRuY0k3clRGc2hzcW90UCtvTTRJazFjCkxMNEJYYzE4c1dMYW8wWDNwSk12
clhCK25RbWZzc1laT0Nib1dFVnIyc0EKLS0tIHJCS3Z1Y0ZMWFp1RzdkSG8reE55
NFhQR2VWTFcwMkhoMEpjOUxWbXVCdkEKs+47mS6jYpm5LYlq+NEIOwpqvyLtfsyS
FmyNQh3Ob1CL/1iNaCQsZeFV/k763AIJ4JT6M2hdiQCoVNNJUBwrXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-20T14:58:16Z"
mac: ENC[AES256_GCM,data:FtB13XmEsP7Tx0FUSAPTfwQo9fbzLuvaJ78B2aagdbPtnAJ6n+GPZ7xqqCYdZdCBDUfipqeO3PQWJGJIuzu7BqWJ1fvcS0fq4127PWthx0JJlvJUhBanKQE+KS45PRZW+FISpJqC4duIbrMxUDkhNW8F++ibIVHdAWKetesbnFY=,iv:eCmAuob0rAcPo3TJ4ssDzHZ8oGKn5xj1798mvCcMqYQ=,tag:gmEZo4W0ni6luJDZapTQeg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
Chiffrement avec age[1]
Exemple de clé age
$ age-keygen
# created: 2024-03-08T15:17:28+01:00
# public key: age14trf5fvhkppd8suunru9mg7dkk9r6ndzwc7tnw45yufs2j9h3u9qqwttxu
AGE-SECRET-KEY-1RM9QASYLNVDQ48HDY5ST7RUXX4LFWPR6PTUHUFG7N5RYUG0PNLLSG6D70R
sops --age \
age14trf5fvhkppd8suunru9mg7dkk9r6ndzwc7tnw45yufs2j9h3u9qqwttxu \
secrets.yaml
sops -e -i --age \
age14trf5fvhkppd8suunru9mg7dkk9r6ndzwc7tnw45yufs2j9h3u9qqwttxu \
secrets.yaml
sops -e -i --encrypted-suffix password --age \
age14trf5fvhkppd8suunru9mg7dkk9r6ndzwc7tnw45yufs2j9h3u9qqwttxu \
secrets.yaml
export SOPS_AGE_KEY_FILE=/path/to/my/private/key
sops -d secrets.yaml
sops secrets.yaml
⚠️ | Il est nécessaire d’avoir accès à la clé privée pour éditer le fichier |
EDITOR="code --wait" sops secrets.yaml
💡 | --wait : Wait for the files to be closed before returning. |
$ sops exec-env 01-sops-file.yaml 'echo $password'
a secure password for DevoxxFR !
sops -r -i --add-age PUB_KEY,PUB_KEY2 secrets.yaml
sops -r -i --rm-age PUB_KEY secrets.yaml
creation_rules:
- path_regex: .*\.?dev\.yaml
encrypted_suffix: 'password'
key_groups:
- age:
- age1pcutm2ytcnn5t2zpj4dvvqhzxw5dcj0gfqplevtev7h8j9hf397s22uacq
- age1248xnnj285mc759u43dv99fzlkgpf82khtm7jzepet70hnz33u2sln6v5a
- path_regex: .*\.?prod\.yaml
key_groups:
- age:
- age1pcutm2ytcnn5t2zpj4dvvqhzxw5dcj0gfqplevtev7h8j9hf397s22uacq
./demo.sh
$ git diff 34526..3933
diff --git a/code/recipients/example-diff-secrets.yaml b/code/recipients/example-diff-secrets.yaml
index be346d4..7210f74 100644
--- a/code/recipients/example-diff-secrets.yaml
+++ b/code/recipients/example-diff-secrets.yaml
@@ -1,21 +1,21 @@
-password: ENC[AES256_GCM,data:EuHISKWakII=,iv:1i5ZMWseSJpcZoPdkdhNHaytlapMD5J4MmYJDSjPetA=,tag:SleSVvjR9arBbVIpUeFC5Q==,type:str]
+password: ENC[AES256_GCM,data:RlVe+IAXalyz75NeVqsS64gqRQ==,iv:dq/Yd+25rH2a9pXHYMQ4Qs1qxDPcO5JCIL1TlT+yxG4=,tag:Es0gSsnabjyx4UcHiN91eA==,type:str]
[...]
$ git config diff.sopsdiffer.textconv "sops -d"
$ cat .gitattributes
code/recipients/example-diff-secrets.yaml diff=sopsdiffer
$ git diff 34526..3933
diff --git a/code/recipients/example-diff-secrets.yaml b/code/recipients/example-diff-secrets.yaml
index be346d4..7210f74 100644
--- a/code/recipients/example-diff-secrets.yaml
+++ b/code/recipients/example-diff-secrets.yaml
@@ -1 +1 @@
-password: password
+password: ThisIsARealPassword