Using the sops command for managing secrets (with examples)
The sops command, short for Secrets OPerationS, is a useful tool for managing secrets. It provides encryption and decryption capabilities for files and allows for easy rotation of data keys. In this article, we will explore different use cases of the sops command with code examples to showcase its versatility and usefulness.
Use Case 1: Encrypting a file
sops -e path/to/myfile.json > path/to/myfile.enc.json
Motivation: Encrypting sensitive data is crucial for protecting it from unauthorized access. The sops command provides a convenient way to encrypt a file, ensuring the confidentiality of the data it contains.
Explanation: The -e
flag specifies that we want to encrypt the file. The path/to/myfile.json
argument represents the path to the file we want to encrypt. The output of the encryption process is redirected to a new file with the .enc.json
extension.
Example Output: The original myfile.json
file is encrypted and stored as myfile.enc.json
with all sensitive data now securely protected.
Use Case 2: Decrypting a file to stdout
sops -d path/to/myfile.enc.json
Motivation: Sometimes, we need to quickly view the contents of an encrypted file without altering it. The sops command allows us to decrypt the file and output its contents to the standard output (stdout).
Explanation: The -d
flag indicates that we want to decrypt the file. The path/to/myfile.enc.json
argument represents the path to the encrypted file we want to decrypt. The decrypted contents of the file are then printed to the console.
Example Output: The encrypted myfile.enc.json
file is decrypted, and its original contents are displayed on the console.
Use Case 3: Rotating data keys for a sops file
sops -r path/to/myfile.enc.yaml
Motivation: Regularly rotating data keys is an essential security practice. The sops command allows us to easily rotate the data keys used to encrypt a file, ensuring better security for our sensitive data.
Explanation: The -r
flag is used to indicate that we want to rotate the data keys. The path/to/myfile.enc.yaml
argument represents the path to the sops file for which we want to rotate the data keys.
Example Output: The data keys used to encrypt the myfile.enc.yaml
file are rotated, providing enhanced security for the protected secrets.
Use Case 4: Changing the extension of the file once encrypted
sops -d --input-type json path/to/myfile.enc.json
Motivation: In some cases, we might want to change the file extension of an encrypted file without altering its contents. The sops command allows us to specify the input type of the decrypted file to accommodate this need.
Explanation: The -d
flag indicates that we want to decrypt the file. The --input-type json
argument specifies the input type of the decrypted file, ensuring that the file is correctly processed as a JSON file. The path/to/myfile.enc.json
argument represents the path to the encrypted file we want to decrypt.
Example Output: The encrypted myfile.enc.json
file is decrypted, and its original contents are displayed on the console as a JSON file.
Use Case 5: Extracting specific keys or array elements
sops -d --extract '["an_array"][1]' path/to/myfile.enc.json
Motivation: Sometimes, we only need to access and decrypt specific keys or array elements from an encrypted file. The sops command allows us to extract these specific elements without decrypting the entire file.
Explanation: The -d
flag indicates that we want to decrypt the file. The --extract
flag is used to specify the specific keys or array elements we want to extract. In this example, we extract the second element ([1]
) of the key "an_array"
. The path/to/myfile.enc.json
argument represents the path to the encrypted file we want to extract from.
Example Output: The extracted key or array element is decrypted and displayed on the console.
Use Case 6: Comparing two sops files
diff <(sops -d path/to/secret1.enc.yaml) <(sops -d path/to/secret2.enc.yaml)
Motivation: When working with multiple versions of encrypted files, it is often useful to compare the differences between them. The sops command, combined with the diff
command, allows us to easily compare the decrypted contents of two sops files.
Explanation: The <(sops -d path/to/secret1.enc.yaml)
and <(sops -d path/to/secret2.enc.yaml)
commands are used to generate temporary files containing the decrypted contents of the respective sops files. The diff
command is then used to compare the differences between these temporary files.
Example Output: The differences between the decrypted contents of secret1.enc.yaml
and secret2.enc.yaml
are displayed, showcasing the variations between the two encrypted files.
Conclusion
The sops command provides a wide range of functionality for managing secrets, including encryption, decryption, key rotation, and extracting specific elements. These examples demonstrate different use cases of the sops command, showcasing its versatility and usefulness in managing encrypted files and sensitive data.