DEV Community

Cover image for How to Secure Secrets with SOPS, KMS, and Pipeline Gates
tsquaredc profile image T2C
T2C for tsquaredc

Posted on

How to Secure Secrets with SOPS, KMS, and Pipeline Gates

#aws #security #tutorial #devops

Most DevOps teams fight the same battle: how to move secrets through pipelines safely without slowing delivery. This guide shows how SOPS, KMS, and automated pipeline gates create an end-to-end system that is both safe and fast.

Step 1: Encrypt Configs with SOPS

SOPS lets you encrypt selected values inside YAML, JSON, or ENV files. The file structure stays intact so Git diffs remain readable.
Example snippet:

api_key: ENC[AES256_GCM,data:...,type:str]
region: us-east-1
Enter fullscreen mode Exit fullscreen mode

Only the value is encrypted. The metadata that identifies the KMS key sits in the same file.
Commit these encrypted files to version control with confidence. No plaintext secrets ever appear in the repo.

Step 2: Use KMS as the Key Source
Connect SOPS to your cloud provider’s KMS. Each environment gets its own key with its own access policy.

Policy example:

  • Developers can decrypt only dev keys.
  • CI pipelines can decrypt staging keys.
  • Only production pipelines with approved tags can decrypt prod keys.

This separation enforces least-privilege and allows independent rotation.

Step 3: Add Pipeline Gates

Integrate gates into your CI/CD workflow that verify:

  • Runner identity
  • Branch or tag status
  • Required reviews and scan results

Only if all checks pass will the pipeline invoke SOPS to decrypt secrets. The decrypted data lives in memory for the duration of the job and is destroyed at the end.

This prevents rogue builds or unapproved branches from accessing live credentials.

Step 4: Automate Rotation and Verification

Add scheduled jobs to rotate KMS keys and re-encrypt SOPS files. Use scanners to confirm no plaintext credentials exist in repos or logs.
Log every decryption event and feed it into your observability platform.
Automation ensures compliance without human intervention.

Step 5: Policy-as-Code and Audit Trails

Store gate definitions and key policies alongside infrastructure code. Reviews and approvals apply automatically. Audit data from KMS and pipelines feed into dashboards that show who decrypted what, when, and why.

This turns secret management into a measurable system rather than a collection of habits.

T2C Implementation Example

Our standard blueprint includes:

  • SOPS for file-level encryption
  • KMS keys per environment with Terraform provisioning
  • IAM roles for pipelines with scoped decrypt permissions
  • CI modules that enforce gate conditions
  • Reporting that merges key usage, pipeline health, and cost metrics

This combination lets secrets travel securely from commit to production.

Takeaways

  • Encrypt values with SOPS, not the whole file.
  • Manage keys in KMS and restrict who can call decrypt.
  • Add pipeline gates that verify identity and environment.
  • Rotate keys and scan repositories regularly.
  • Store everything as code and log every decrypt.

This is how we build “secrets that ship safely” at T2C: encryption anchored in policy, pipelines guarded by gates, and evidence available on demand.

Top comments (0)