Support for custom IV

[guitmz]

While I know that this is debatable, I have some scenarios where I would not like the file to physically change every time I encrypt it.

As example, if I run sops -e myfile twice, the output is not the same and I would like to have it to be the same.

The use case for this is something similar as git-crypt, where the encryption is deterministic (which is required so git can distinguish when a file has and hasn't changed).

Thanks

[jvehent]

I don't think we want to allow nonce reuse. It's a bad security practice and, in some cases, can be a major security vulnerability.

[jvehent]

The bigger question is why do you reencrypt the file every time with the same values? sops will only change the values that have been changed during your last edit, and indeed will use a new nonce then but only for those specific values, not for the entire file.

[guitmz]

@jvehent what I mean is if I run

$ sops -p MY_KEY -e secret.yaml > file_1

and

$ sops -p MY_KEY -e secret.yaml > file_2

and then

$ diff -q file_1 file_2 Files abc and def differ

The differences are present not only on metadata keys (like lastmodified) but also on other keys that were part of the original file and were not changed between running the two encrypt commands.

The sole propose of this request for me at the moment is achieve transparent git encryption.

Having the IV to be a hash of the original file for example would be unique per file (since the hash of the file pushed to VCS is different because this file will be encrypted), but I do agree with your statement about this being a bad practice.

[jvehent]

this does not work with gpg either, fwiw

$ echo foo > bar
$ cp bar baz
$ gpg -e bar
$ gpg -e baz
$ sha256sum bar.gpg baz.gpg 
df9a2e827d5d6946d40c1c7b25c7bdbfa8f78102f259ebff2b7351d48247b73f  bar.gpg
b0aa36688bd193aa70cefe7019ee4e368390ea7370269dfb0a85eb358c96fc00  baz.gpg

the reason for this is encryption tools generate random data encryption keys for each file, and then encrypt the data key with the private key (for pgp) or kms (for sops kms). Running sops twice with create 2 different data keys that will result in two different files, regardless of what the IV values are.

You should modify your secret.yaml file using sops as an editor instead of recreating the file every time from scratch.

$ sops -p MY_KEY -e secret.yaml > encrypted.yaml
$ git add encrypted.yaml, etc...

then when you want to modify encrypted.yaml, do

$ sops encrypted.yaml

make changes and git commit, it will show the right diff

[elopsod]

Hi @jvehent

make changes and git commit, it will show the right diff

Could you pls suggest how to do this automatically
I mean how make changes without decrypt/encrypt all file
Thank you!