posts/secret-encryption-sops/ #276
giscus[bot]
bot
Replies: 3 comments 3 replies
-
|
For anyone stuck with the "cat | grep " ...
... consider using something a bit older and simpler:
... I think that the expression is looking for only the crypttext of the public key, so this should work (and work on Unix-like systems of an AT&T style, unchanged BSD-style (Mac), and should still work on GNU-extended dialects (linux)). I know, I get some ribbing for using AWK, but it still works, nicely replaces the cat|grep, and typically needs no install outside of distress images. |
Beta Was this translation helpful? Give feedback.
-
|
Alternatively, I got it working with this:
I was getting an error for the -P flag with grep and the |
Beta Was this translation helpful? Give feedback.
-
|
So.. grep does a cat, you don’t need them both. ..or use awk… |
Beta Was this translation helpful? Give feedback.
-
|
There is already published a pre-commit hook for this with source code on GitHub - https://github.com/koss822/misc/tree/master/Kubernetes/sops |
Beta Was this translation helpful? Give feedback.
-
|
I've had this working for a while now with no issue, but all of a sudden I went to browse my secrets file in vscode and I get the error "Could not decrypt SOPS file [filename]: Could not decrypt file: [filename], MAC mismatch. File has [MAC]". Any idea what I need to do to get it working again in vscode? I'm scared to mess with it in case I lose my secrets file completely. |
Beta Was this translation helpful? Give feedback.
-
|
I ended up re-encrypting a separate copy of the decrypted file and overwriting the broken version. Seems to be working fine now. |
Beta Was this translation helpful? Give feedback.
-
posts/secret-encryption-sops/
Committing secrets to your Git Repo can expose information like passwords, access tokens, and other types of sensitive information.Some might think that committing secrets to a private Git Repo is OK, but I am here to tell you it’s not.If you’re going to commit secrets to a git repo, private or public, you should encrypt them first using Mozilla SOPS (Secret Operations) and AGE.SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.Age is a simple, modern, and secure file encryption tool, format, and build using Go.It can encrypt and decrypt your files making then safe enough to commit to your Git repos!
https://technotim.live/posts/secret-encryption-sops/
Beta Was this translation helpful? Give feedback.
All reactions