Skip to content

Instantly share code, notes, and snippets.

@diegoquintanav

diegoquintanav/encrypt_secrets.md

Created May 25, 2022 15:46
Show Gist options
  • Save diegoquintanav/c42d6279f5cc0c655db41fae7003aa5f to your computer and use it in GitHub Desktop.
Save diegoquintanav/c42d6279f5cc0c655db41fae7003aa5f to your computer and use it in GitHub Desktop.
Download ZIP
Encrypt secrets in git
Raw
encrypt_secrets.md

Commiting secrets to git

Don’t

Don’t commit secrets to github.

Do

  • Use vaults or other systems
  • use environment variables when possible
  • use github secrets when possible
  • encrypt secrets if they are going to stay at the repo

Dependencies

Encryption example

  • Consider the secrets.yml file for a kubernetes cluster
    • in Kubernetes, values are base64 encoded
    • base64 encoding is not encryption
    • we want to encrypt secrets.yml file
apiVersion: v1
data:
  FIRST_SUPERUSER_PASSWORD: ejFRU334NUdNa2ZGZldJWA==
  FLOWER_BASIC_AUTH: YWRtaW46Y2hh3mdldGhpcw==
  PGADMIN_DEFAULT_PASSWORD: Y2hhb3dldGhpcw==
  POSTGRES_PASSWORD: Y2hhb3dldGhpcw==
  SECRET_KEY: YnE9XmhjI3gwbnVtNnRusl8jZ20lKCgkZyQ2ZigkXkBsYj1wNSkkY2gqMiprKzA=
  SMTP_PASSWORD: d1hhQ2tRaU51NTJfUnVR
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"FIRST_SUPERUSER_PASSWORD":"ejFRU3k4NUaNa2ZGZldJWA==","FLOWER_BASIC_AUTH":"YWRtaW46Y2hhbcdldGhpcw==","PGADMIN_DEFAULT_PASSWORD":"Y2hhbmdwdGhpcw==","POSTGRES_PASSWORD":"Y2hhbmd2dGhpcw==","SECRET_KEY":"YnE9XmhjI3gwbnVdNnRudl8jZ20lKCgkZyQ2ZigkXkBsYj1wNSkkY2gqMiprKzA=","SMTP_PASSWORD":"d1hhQ2tRaU5cNTJ1UnVR"},"kind":"Secret","metadata":{"annotations":{},"creationTimestamp":"2022-05-23T12:27:26Z","name":"boscapp-secrets","namespace":"boscapp-develop","resourceVersion":"8788","uid":"c4e26fa2-6ae6-4870-a67b-d338cfe7b438"},"type":"Opaque"}
  creationTimestamp: "2022-05-24T09:09:58Z"
  name: boscapp-secrets
  namespace: boscapp-develop
  resourceVersion: "25369"
  uid: 9060cefc-9456-417e-bafe-8679809cbbf7
type: Opaque

  1. Install age and create a recipient with age-keygen

    $ age-keygen -o key.txt
Public key: age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y

  2. encrypt secrets.yml using sops and the public key produced by age

    $ sops --encrypt --age age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y secrets.yaml > secrets.enc.yaml

  3. Commit secrets.enc.yaml instead of secrets.yaml

    apiVersion: ENC[AES256_GCM,data:VRo=,iv:xew/fFqEgNxGUhSnopbf8z54f1iQv7yVlI8Er/s1zzg=,tag:ytLYv/NPMfcpJVsUZVGh2g==,type:str]
data:
    FIRST_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:kl6AcEVo/AjzSu0lRkQ5WXcTzm/8wpZm,iv:1JwbgbXIhafvqMp23ykJ5bZP+vhO7NZ2hpTQ0lQQAm0=,tag:Uaz6oMN8s8QelTdbRL+TrQ==,type:str]
    FLOWER_BASIC_AUTH: ENC[AES256_GCM,data:aZ8Xjp2FqZJPQzPzWAf2nt03DRYlGqZC,iv:h9Rytad9DXzYuaZpT+oHpLeN3jryuyrx4LUaf5J35Vk=,tag:ir/vUslyjkkVoFMlVwuBdg==,type:str]
    PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:LKQ4qa83gRFZ8+G1cTzPwg==,iv:jHrWmGkkXMKuaZTd+TYvWxjFwkCo7JcscrNZglOiBnQ=,tag:F8gDE8A7gJjqhT1zaL9MkA==,type:str]
    POSTGRES_PASSWORD: ENC[AES256_GCM,data:lzXGf19TEXBMZIS2U77VVg==,iv:V4qxcYz203YEjILtUUr2uG/idC/PQDYkHP1SCbEh2V0=,tag:TwK9mwND37b1aNmgsJekEg==,type:str]
    SECRET_KEY: ENC[AES256_GCM,data:wO4xDVN0EM2BWMZjYNxB0ykZehHHUO/u7RTok9EzJ4AcKtLXBPn040bvm+QTteJoHgAEOdrm2SZGlw6Wobb4ng==,iv:aupI/Qm4GloZhid07jUG4IhiqqiXBinrq21AG8mPEoc=,tag:NVYKkfN7MmlvBrRoDDh2mA==,type:str]
    SMTP_PASSWORD: ENC[AES256_GCM,data:6VnkNOKOvCNFYcBe17HY2X9ZtIY=,iv:0BYZnL5MrvdTBKltiHShzIqwdjlIDcBSEOI+T/nkPlw=,tag:D7Po93ZTFB5aGQ7muvtDiw==,type:str]
kind: ENC[AES256_GCM,data:ZpTBQFrT,iv:wax0ZQpNkq08qScJMIt/vRN0dwTDqvy1798yF/YouaE=,tag:VPR8iL9UcywnRds9Wu5mRQ==,type:str]
metadata:
    annotations:
        kubectl.kubernetes.io/last-applied-configuration: ENC[AES256_GCM,data:LWuNwFsIx0+eG1R+dwMKZSHOvzd/krqxnBx4+SMCOtzufSdijaOVIJJu/2sWPEGdw1Z4nXZvFkz4hTKfeuwieWsU6Cjf3y1BwzkyXaun0jhjAcFjKulFYt9clOVb2OdUFQ2s4FzbQlTzL2HO91QhYrFHMeTzTAEPOoXCVMPagsHfLmGvVZUQEObTsM5CGHCRv+aIwrJ1VNwFHMJPqUBSQKZbZt31GWhsjBTF7eFIyfbQj0KkuoFwOnLoUMF1vIRHoI+rL0u114+6bosmw7KFU3It/jVslnlPYeGMGPPWP5CqZACMaEQfjwHwdfXhit+mLj4ZcD85fEJD98gfvr9rN94X2x8LIOocEuKD/c/2OtxfE0TlW1BiZDRU5IeajptcN7phs7R4nkPud0IkU3tdDHhUl0jedw5zr2VI0vlKwAOhyfdZqEmgveYsGBiKytt1xgxNcsCzuohGkBzLcl42eVZxxm9Ks1UjJHXKKvWNuPiRoiBkmyXMvWATjA1Ej4mQzic3UI9T4pIEaP6ZWz1+EY2735HqY87mB8XG9Gnx//ZhLQV2rVI1GY9QjWunb15hu5pQALg7M99ZEIUiRHwos6hSJaNiSsnT+eahzbFp2Vv+MLe4HY+ac2SBNHyA3HN+CwcSGP41qqsIlylqgfQr96poDlSqVXui5uR7aj6Mt8YStjsb3vo5eWwk7Sx+0ZnQzT/RiDfrnqtyJ0LM7EfqkhDoEEHnQE2tbytSzoV9QAyjZfw6,iv:t6u6jLMbiDYLvP0B90lTxUHcDm9NrvG3DTidfXNl+xw=,tag:CTBXyR+alzLAfaJpiwY6ig==,type:str]
    creationTimestamp: ENC[AES256_GCM,data:Nwkr9qIs4uKvfSfY7zddEI2oqR0=,iv:R5pN9IEecYxGPJwtV4TneDAAFe2FJkROITCAT/T03Ow=,tag:U/UkAa7XUqbvFwMKx88XUQ==,type:str]
    name: ENC[AES256_GCM,data:LWV40t1f1xLpLPtYp7GS,iv:cH8udhIxFj9d4Dz23GEeVmDXUJY13fjiAym0Dia9WkM=,tag:3kDFhwhk4kurrNb3IL1Z6w==,type:str]
    namespace: ENC[AES256_GCM,data:bsQ2T0G2qbLrChYujcYg,iv:H2fS9o5qyf9KaLQmzqSa4jAH5KE6STFkTaAvMdfrgUE=,tag:uyOYpjFEVbsD4rSmjvN4hw==,type:str]
    resourceVersion: ENC[AES256_GCM,data:AIEmp+w=,iv:jo3w5xCbdTqSeJic7w4U7iGKmYRqyq95/5I9M7pYspI=,tag:rl9bU3vdjBRlx0DbCDrlGA==,type:str]
    uid: ENC[AES256_GCM,data:WFBbGwHHF2vv+qxqs8QwXWhut8l4kHF89Gkki0hQ+m5Qwigb,iv:LkH46cJ5r/PbUmbHRqBhrKB10lIS81pb10bXBTm6q7E=,tag:+HivETOzJiJag6fhZGWQ6w==,type:str]
type: ENC[AES256_GCM,data:TSkrohpk,iv:pFO076kzSrkptzSakf0BgcjbXrEYgcUj04LlJxmiDvU=,tag:+YdUiC7tosieEWiPmfutug==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bUVIQ005Skx4VGp3YUxN
            eVRUZmptU0RSalJweFphN0M2NFRIN2tyRTJFCjR2SForS3lXcHNxUnlVUHcrTThH
            RlNiMWptdHZvWWtNSHFPSDEwRktQTGsKLS0tIHhrS3NhY09mcEQycVpuajJaM2lP
            eHFyV0FDaUdIb0tCU0daOCt3eTBQMncKsaZNn/utbBTDrtYRBc1pfdj2SftSaY9K
            RePoZFG33WNHET5vtwPnG6XOIqrpvebnhG02fg8UXU0URmeGHGuD5g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-05-25T15:32:09Z"
    mac: ENC[AES256_GCM,data:IjPQvampszip+aXXL3QZNaIbEYMS6741Lv3mQY4FSCNDcFawhGMlBtqYWEMwCFHjx1uiKjws2kjvcqyWg5eYSbcHAaZlUrfHcTOYsOlZMggc1HfgkaW9ldF7GPkAR8pzftWhkghrAIhnvoRR6ZhNdkFgbs0omYHtOs9VynzPx+Y=,iv:EMMJ0H4wJ2yGC1MG0GuVUPtyMR1wODv+cMXWE1bVGKQ=,tag:7AE9bvF7bVBBKre3mmtc8A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

Decrypting

  1. pass a key.txt to another environment, and export it to the SOPS_AGE_KEY_FILE environment variable. Read more in the sops documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment