Enhance the security of your Kubernetes and Helm charts by using Age and SOPS for managing sensitive data. Age (pronounced "ah-geh") generates keys that SOPS uses to encrypt YAML and JSON files. This setup automates decryption upon checkout and re-encryption upon check-in, seamlessly integrating with Git workflows. With Age and SOPS, you can ensure secure and efficient secret management in your Git repositories.
- Bash: The command-line shell used to execute scripts and automate tasks.
- Age: For key generation and encryption.
- SOPS: To encrypt and decrypt YAML and JSON files.
- Git: For version control and workflow integration.
- Basic regex knowledge: Useful for configuring patterns in encryption rules.
A common requirement may be to encrypt only specific keys, like usernames and passwords, while keeping the rest of the file visible in the Git repository. Unlike git-crypt
, which encrypts entire files, this approach ensures that only sensitive information is hidden, leaving non-sensitive data accessible.
For added security, consider setting up Git hooks to automatically decrypt files on checkout and encrypt them on check-in. Additionally, using an encrypted hard drive is recommended to protect sensitive data at rest.
sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt install age, git, sops
The provided installation commands should work for Ubuntu 18.04 (Bionic Beaver) and later versions, such as 20.04 (Focal Fossa), 22.04 (Jammy Jellyfish), and newer.
This is the recommended method for generating keys with Age for use with SOPS:
age-keygen
Be sure to save both keys in your password manager!
Or you can also save the credentials in a file (encrypted hard drive recommended):
mkdir -p ~/.config/sops/age/
age-keygen -o ~/.config/sops/age/key.txt
Edit the file named ~/.sops.yaml
and add your Age public key:
creation_rules:
- encrypted_regex: '^(user.*|pass.*)$'
filename_regex: '\.(yaml|yml|json)$'
key_groups:
- age:
- <YOUR_AGE_PUBLIC_KEY>
stores:
yaml:
indent: 2
json:
indent: 2
Create or edit a file named test.yaml
:
version: 1.0.0
username: abcd
password: abcd
Encrypt in place:
sops --config ~/.sops.yaml -e -i test.yaml
Show the contents of the encrypted file:
cat test.yaml
version: 1.0.0
username: ENC[AES256_GCM,data:Xok...==,iv:E+A...=,tag:1jN...==,type:str]
password: ENC[AES256_GCM,data:I7I...==,iv:LnU...=,tag:gwD...==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xq6...
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWd...==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-15T12:23:25Z"
mac: ENC[AES256_GCM,data:1Nb...=,iv:xLG...=,tag:lze...==,type:str]
pgp: []
encrypted_regex: ^(user.+|pass.+)$
version: 3.9.0
It has some necessary overhead at the end.
Decrypt to plain text in place (requires the Age secret key):
export SOPS_AGE_KEY=AGE-SECRET-KEY-1EG...
sops --config ~/.sops.yaml -d -i test.yaml
Note the -d
for decrypt instead of -e
for encrypt!
You can omit the first export line of the environment variable if you have the file ~/.config/sops/age/key.txt
.
Show the contents of the plain text file:
cat test.yaml
version: 1.0.0
username: abcd
password: abcd
A local Git hook is a script that automatically executes predefined actions on your repository during specific Git events, such as commits, merges, or pulls.
Follow these steps to activate the Git hooks:
mkdir -p ~/.githooks/
git config --global core.hooksPath ~/.githooks
cd # go to your home directory or wherever you want
git clone https://github.com/bor8/sops-and-git
cd sops-and-git
cp ./.githooks/ ~/
You can now securely push YAML or JSON files to Git, and they will be automatically encrypted. When you check them out, they will be automatically decrypted. To encrypt other or additional keys, update the ~/.sops.yaml
file.
Here are additional instructions for using the Git aliases to explicitly encrypt and decrypt files:
-
Configure Git Aliases
Open your terminal and run the following commands to set up the aliases:
git config --global alias.encrypt '!encrypt() { ~/.githooks/encrypt_files.sh; }; encrypt' git config --global alias.decrypt '!decrypt() { ~/.githooks/decrypt_files.sh; }; decrypt'
-
Encrypt Files
To encrypt files in your repository, run:
git encrypt
This command executes the
encrypt_files.sh
script located in your~/.githooks
directory, encrypting the specified files. -
Decrypt Files
To decrypt files in your repository, run:
git decrypt
This command executes the
decrypt_files.sh
script located in your~/.githooks
directory, decrypting the specified files.
- Ensure that the
encrypt_files.sh
anddecrypt_files.sh
scripts are executable and properly configured in the~/.githooks
directory. - These scripts should handle the specific encryption and decryption logic for your YAML, YML, and JSON files.
By following these instructions, you can easily encrypt and decrypt files in your Git repository using simple Git commands.