Voir :

• https://github.com/getsops/sops
• https://blog.stephane-robert.info/docs/securiser/secrets/sops/
• https://www.damyr.fr/posts/sops/
• https://www.tekovic.com/blog/encrypt-ansible-variables-with-sops/

Voir aussi :

• Crypto - Découper ses clefs en plusieurs morceaux grâce au secret reparti
• GPG
• HashiCorp Vault
• https://docs.ansible.com/projects/ansible/latest/vault_guide/vault_encrypting_content.html

# age-keygen -o ~/.config/sops/age/keys.txt
$ age-keygen -o "${HOME}"/private-key
Public key: age1p6svvezfcg3jz33d0ynd27n3j72p7tjrqxdkssmwsvph7ct3y44qxvv8s7

source <(sops completion bash)
 
# SOPS variables
export SOPS_AGE_KEY_FILE="${HOME}/private-key"
# Ansible variables
export ANSIBLE_SOPS_AGE_KEYFILE="$SOPS_AGE_KEY_FILE"
# Public key
export SOPS_AGE_RECIPIENTS=age1p6svvezfcg3jz33d0ynd27n3j72p7tjrqxdkssmwsvph7ct3y44qxvv8s7

Avec GPG
# On récupère la fingerprint de notre clé
gpg --list-keys
# On export le fingerprint
export SOPS_PGP_FP="<VOTRE FINGERPRINT>"

Usage

sops --encrypt --encrypted-regex '^(password|apiKey)$' --in-place ./secrets.yaml

sops -e secrets.yaml > secrets.enc.yaml
sops -d secrets.enc.yaml > secrets.decrypted.yaml
 
# Déconseillé
sops edit secrets.yaml
 
 
sops set plop.yaml '["user1"]["password"]' '"P@ssw0rd"'
sops unset plop.yaml '["user1"]'
 
sops encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
 
sops decrypt mynewtestfile.yaml
sops -d mynewtestfile.yaml

# Chiffrer depuis stdin (JSON)
echo '{"secret": "from-stdin"}' |   sops encrypt --input-type json --output-type json /dev/stdin
 
# Écrire le résultat dans un fichier
sops decrypt secrets.enc.yaml --output secrets.yaml

Rotate / rekey

sops rotate -i example.yaml

Rekey

sops updatekeys -y secrets.enc.yaml

Looks for keys.txt in $XDG_CONFIG_HOME/sops/age/keys.txt; Falls back to $HOME/.config/sops/age/keys.txt if $XDG_CONFIG_HOME isn’t set.

Cloud

sops -e --kms arn:aws:kms:us-west-2:123456789012:key/your-key-id secrets.yaml > secrets.enc.yaml

.sops.yaml

# creation rules are evaluated sequentially, the first match wins
creation_rules:
    # upon creation of a file that matches the pattern *.dev.yaml,
    # KMS set A as well as PGP and age is used
    - path_regex: \.dev\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'
 
    # prod files use KMS set B in the PROD IAM, PGP and age
    - path_regex: \.prod\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'

creation_rules:
  # Prod : ne chiffrer que les secrets
  - path_regex: 'prod/.*'
    age: age1abc...
    encrypted_regex: '^(password|token|secret|key)$'
 
  # Dev : tout chiffrer
  - path_regex: '.*'
    age: age1abc...

# Injecter les secrets comme variables d'environnement
sops exec-env secrets.enc.env 'echo DB_PASSWORD=$DB_PASSWORD'
# DB_PASSWORD=super-secret-123