The simplest sops demo - sops using age encryption

sops-with-age-encryption.demo.sh

# This demo uses an alpine sandbox in a docker container in 
# interactive mode. ran with:
#    docker run --rm -it alpine
#
# if you run it on your own system:
#  1. you should use your own package manager instead of `apk`
#  2. expect the following left overs:
#    - installed binaries (age, age-keygen, sops)
#    - $HOME/.config/sops/age/keys.txt 
#    - demo files: source.env, encrypted.env, decrypted.env
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#   A R R A N G E
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

echo "
1. Installing packages: age";
#------------------------------------------------------------
apk add age;
#------------------------------------------------------------

echo "
2. Installing sops binary and make it runnable";
#------------------------------------------------------------
wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux -O /usr/bin/sops && chmod +x /usr/bin/sops;
#------------------------------------------------------------

echo "
3. create age encryption key, 
   and extract the public key as AGE_PUB_KEY";
#------------------------------------------------------------
mkdir -p $HOME/.config/sops/age/;
age-keygen > $HOME/.config/sops/age/keys.txt;
chmod 400 $HOME/.config/sops/age/keys.txt;
AGE_PUB_KEY=$(grep 'public key' $HOME/.config/sops/age/keys.txt | cut -d' ' -f 4);
#------------------------------------------------------------

echo "
4. create a demo .env file";
# NOTE: it works with yaml, json, ini, and more
#   (it relays on file suffix, 
#    but you can specify it explicitly using --input-type)
#------------------------------------------------------------
cat << EOF > source.env
USERNAME=the-user
PASSWORD=the-password<shhhh!!!!!>
EOF
#------------------------------------------------------------

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#   A C T
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
echo "
5. use sops to encrypt 'source.env' with Age, 
   show the encrypted output on screen 
   and save it as 'encrypted.env'";
#------------------------------------------------------------
sops -e -age $AGE_PUB_KEY source.env | tee encrypted.env;
#------------------------------------------------------------

echo "
6. use sops to decrypt 
   to compare the result with 'source.env'";
#------------------------------------------------------------
sops -d encrypted.env > decrypted.env;
#------------------------------------------------------------

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#   A S S E R T
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
echo "
7. 'decrypted.env should be identical to 'source.env'";
#------------------------------------------------------------
if diff source.env decrypted.env; then
  echo "
    SUCCESS :) 
  ";
else
  echo "
    Test failed :o
  ";
  exit 1;
fi;

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# NOTE:
#  now that your keys are set and you have an encrypted file,
#  you call: 
#     sops encrypted.env
#  this will open it in your default editor.
#  if you make changes - it will save your edits after encrypting the values
#  (after which the `diff` above will no longer work - it updates only the encrypted file)