Secret management using SOPS!

We all have workloads that connects to database or uploads objects to some bucket in your cloud providers like GCP , AWS , AZURE or some other RSA keys that your application will use. Usually these are stored as JSON or YAML files that your application will read.

Having secrets in form of plain text is a bad practice. Unencrypted secrets if leaked or stolen can cause a lot of damage to company’s business and also loss of data. To avoid this it is very important to encrypt all the secrets that are used by your application , this helps in preventing leakage of any sensitive information even if the file gets stolen. This is where we will be using SOPS that will help us achieve this.

SOPS

So sops is a tool that encrypts files using keys generated in AWS , AZURE or GCP and has direct integration with buckets to store these encrypted files. SOPS uses .sops.yaml configuration file. In this article we will see how we use SOPS in AWS to encrypted , store it in S3 and decrypt the files.

First we will begin with installing SOPS for Ubuntu. We can get the latest releases here.

wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops_3.7.3_amd64.deb
sudo dpkg -i sops_3.7.3_amd64.deb
sops --help

Create a JSON file that has your application secrets

{
    "HOSTNAME=https://domain.com",
    "PORT=5000",
    "HOME=/root",
    "secret=secret_value",
}

Create a custom key in AWS KMS.

Go to KMS -> Create SYMMETRIC_DEFAULTkey type and Encrypt and decrypt as key usage.

It’s time to encrypt the above JSON file

As we are using AWS KMS, we have to copy the ARN of the key, in the SOPS_KMS_ARNenv variable.

export SOPS_KMS_ARN="arn:aws:kms:ap-south-1:<>"
sops -e secrets.json > secrets_enc.json

Create sops configuration file

• create a directory where you want to store your secrets
• mkdir app-secrets && cd app-secrets && vi .sops.yaml
• create an bucket in s3 , in our example we will keep the bucket name as config
• paste the following contents into the file

destination_rules:
   - s3_bucket: "config"

Publish the file in s3

• sops publish command will upload the encrypted file to s3
• this command can be run only in the folder where .sops.yaml file is present

Decrypting the file

To deploy the secret to application, you must decrypt it. Again, SOPS CLI is here to help.

sops -d secrets_enc.json > secrets_dec.json

CLIMAX

Now that we have understood how to use sops with AWS, we can combine these steps and use it on our CI/CD or have this settings file encrypted even in version control system. SOPS makes this process painless and has wide variety of integrations with various third party tools

REFERENCES

Saiprasanth R,

That’s all folks! Do clap if you like it and leave your suggestions as comments below.

By,

Saiprasanth R,

LinkedIn, Github , Twitter.

LinkedIn, Github , Twitter.

REFERENCES

mozilla/sops: Simple and flexible tool for managing secrets (github.com)