Introduction
In today's world, data security is of utmost importance, especially when dealing with sensitive information like passwords, API keys, and other confidential data. Encrypting secrets ensures that even if unauthorized individuals gain access to the data, they won't be able to decipher its contents. In this blog post, we will explore two powerful open-source tools, SOPS and AGE, that enable secure encryption of secrets.
Installing SOPS and AGE:
Before we dive into encrypting secrets, let's ensure that we have SOPS and AGE installed on our system. You can download and install SOPS from the official GitHub repository.
SOPS → https://github.com/mozilla/sops/releases
Similarly, AGE can be installed from its GitHub repository
AGE → https://github.com/FiloSottile/age/releases
Creating the Encryption Key:
To get started, we need to generate an encryption key using AGE. Open your terminal and execute the following command:
age-keygen -o key.txt
the output of this command will be
age-keygen -o key.txt
Public key: age1rua2rfy0uhzywprgwclavsp39uhfwmrxpanutt4y3zfcjurjs3msa0hnu9
This will create an encryption key file named "key.txt". Next, copy this file to the location ~/.sops/key.txt. You can do this by running the following command:
cp key.txt ~/.sops/key.txt
Configuring SOPS Environment:
To configure SOPS to use the AGE encryption key, we need to make an entry in our shell configuration file. If you're using the Zsh shell, you can open the configuration file using the following command:
nano ~/.zshrc
add following line to the .zshrc file
export SOPS_AGE_KEY_FILE=~/$HOME/.sops/key.txt
Save the file and exit the editor. This configures SOPS to use the AGE encryption key file we generated earlier.
Encrypting the Secret.yaml File:
Now, let's encrypt the "secret.yaml" file that contains the secrets we want to protect. Here is the content of the "secret.yaml" file:
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: dev-db-secret
data:
username: root
password: supersecretpassword
To encrypt this file, run the following command in your terminal:
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE | grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml
This command uses SOPS along with the AGE encryption key to encrypt the file in-place. The --encrypted-regex option specifies the fields that should be encrypted (in this case, all fields under data and stringData).
Now the secret file has been encrypted as
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: dev-db-secret
data:
username: ENC[AES256_GCM,data:hW4VXQ==,iv:nkM9UHvHwTx6oUvjcfq/olO/FcuijHvrVmJZfT2eB6k=,tag:pBV7nvNbGSauOCSy5Bar4Q==,type:str]
password: ENC[AES256_GCM,data:QX7Bb5Idlyf+0sVsTbRaQd4afQ==,iv:VHu8vnW5vfSW7c4fuBNUAznhH+j2QTfij6iPFd9ww0U=,tag:RSd8e6JNbPhGuYFqOcHNAg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1w6mnsqrank3f3e9rxv6xz4nnpnvrr9zyed2zsm8jkyya8gq5zazqzt58sm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdzhOQjV0VlBjT0cvSUtk
VlVBcU11RG5DRkNWTzROdlNrVHo2bUhVK0NnCmNvR3hJSjY5VHFoMm5Va2ViMFho
b1k1MFhaM0hOa2p1ODh0R25Vb3NsOWsKLS0tIHZSdy93MVhtZGlwL2M5UktpSDds
UkdHa0VqcTl3TGM0MXpzMXlJeEJrdUEKdVQmdzWWndJQ1V3WZjgIEB5vQXPM5QfZ
zv7WhnpN0gHMn2G8oZYbSmIPPT0UFI7+JaySZ5EkZeP/vqcK1Qhmow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-21T14:20:25Z"
mac: ENC[AES256_GCM,data:kAr8Meo9jeMvfAgiMwhSWIVwaLVd7sU9XHck51hgA67qenE6ORlm2yZcZ75LWo1WkTGoZ+sUdByyYKMFR+zc2SHTT9fnYtLrREtBv9xHz6Kbn/rOEDGDmCNQcBLhQbPdRjzA67rrA8M0V337IJYiIywID2ur8OSXlOSF2M2vW8I=,iv:ZKLCPfpJBcLr8oG/sIVqLbZqd74UMKpS9+YSgQdDsy8=,tag:p6WgJJ3DsCdNbZB9coolhg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3
Decrypting the Secret.yaml File:
If you need to access the decrypted contents of the "secret.yaml" file, you can use the following command:
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE | grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml
This command will decrypt the encrypted fields in the file, allowing you to view and modify the secrets as needed.
Conclusion:
Encrypting secrets is crucial for maintaining data security. In this blog post, we explored the usage of two open-source tools, SOPS and AGE, to encrypt and decrypt secrets. By following the steps outlined, you can effectively protect sensitive information and ensure its confidentiality. Remember to always store your encryption keys securely and follow best practices for secret management to maintain a robust security posture in your projects.
Youtube --> YoutubeVideo
Top comments (0)