Securing Secrets with Mozilla SopS and AGE: A Powerful Combo
With the ever-growing need to safeguard secrets and sensitive data, the challenge is to find tools that offer a balance between security and usability. One such pairing that stands out is Mozilla’s SopS in combination with AGE
for encryption. In this blog post, we’ll dive deep into the benefits of this duo, touching on simplicity, version control, encryption, and even offer a hands-on example.
What is SopS
?
SopS
is a secret management tool developed by Mozilla. It’s designed for encrypting secrets in files that can be stored in a version control system like GIT. Rather than encrypting the entire file, SopS
encrypts only the specific parts of a file that contain secrets, leaving the rest of the file (like structure and comments) in plain text. This means that you can still track changes and maintain version history without compromising security.
Furthermore, SopS
supports a variety of secret backends i.e. cloud KMS and Hashicorp vault.
SopS
additionally works in a binary mode where full files can be encrypted.
Introducing AGE
AGE
(Actually Good Encryption) is a simple, modern and secure encryption tool with small explicit threat models. Built on the foundations of strong cryptographic primitives, AGE
focuses on being simple to use while retaining powerful encryption capabilities.
Why Pair SopS
with AGE
?
Simplicity: One of the primary benefits of using
AGE
is its simplicity. With a straightforward CLI and easy-to-understand encryption and decryption commands, it reduces the chance of human error. When integrated withSopS
, you get the combined power of both tools intuitively.Version Control Compatibility: Since
SopS
encrypts only the secrets and not the entire file, it plays well with version control systems. You can visualize diffs, track changes, and maintain an audit trail of modifications without revealing the actual secrets.Strong Encryption:
AGE
boasts robust encryption capabilities. It uses modern encryption techniques, ensuring that your data remains confidential and safe from potential breaches.
Code Example: Encryption and Decryption with SopS
and AGE
First, generate an AGE
keypair:
age-keygen -o age.key
This will produce a public key string that you can use for encryption and a private key saved in age.key for decryption.
Next, use SopS
to encrypt a file using the AGE
public key:
sops --age age_public_key -e secrets.yaml > secrets.enc.yaml
Where age_public_key is the public key string generated in the first step and secrets.yaml is your plaintext file.
To decrypt the file, use:
sops --age age.key -d secrets.enc.yaml
And there you have it. The encrypted file (secrets.enc.yaml) can be safely stored in version control, while the original secrets remain safe and sound.
A 2nd example for docker-compose
The first example outlined the convenient structure-preserving encryption mechanisms for i.e. yaml files. Such files are oftentimes used for kubernets configuration or helm.
However, there are many smaller software projects out there potentially only based on docker compose and some .env
files which hold the secrets.
I have seen too many projects in the wild committing the .env
files or other secrets accidentally to the repository.
Instead, we can use the same mechanism as above to encrypt the .env
files.
However, there is no default parser for them. Instead, we can simply encrypt the files as binary files.
This is an example using a Makefile to encrypt and decrypt files in this way:
FILES_TO_ENCRYPT = .env
.PHONY: secrets-encrpyt
## encrypt secrets with SOPS and AGE
secrets-encrpyt:
for file in $(FILES_TO_ENCRYPT); do \
echo "Encrypting: $$file"; \
sops --encrypt --age $(ASCII_SOPS_AGE_PUBLIC_KEY) --input-type binary --output-type binary $${file} > $${file}.enc; \
done
.PHONY: secrets-decrypt
## encrypt secrets with SOPS and AGE
secrets-decrypt:
export SOPS_AGE_KEY_FILE=key.txt; \
for file in $(FILES_TO_ENCRYPT); do \
echo "Decrypting: $$file"; \
sops --decrypt --input-type binary --output-type binary $${file}.enc > $${file}; \
done
Wrapping Up
The fusion of Mozilla’s SopS
and AGE
presents an elegant solution for the perennial problem of securely managing secrets in version-controlled environments. With simplicity, robust encryption, and seamless integration with VCS, this combination ensures that IT security is both formidable and manageable. If you’re on the hunt for a reliable and efficient method for safeguarding your secrets, it might be time to give this pair a try.
The image was generated using Firefly by Adobe. Parts of the text were neatly generated by ChatGPT.