summaryrefslogtreecommitdiffstats
path: root/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt
diff options
context:
space:
mode:
Diffstat (limited to '2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt')
-rw-r--r--2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt725
1 files changed, 725 insertions, 0 deletions
diff --git a/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt
new file mode 100644
index 00000000..fd90802a
--- /dev/null
+++ b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt
@@ -0,0 +1,725 @@
+WEBVTT
+
+NOTE Introduction
+
+00:00:00.000 --> 00:00:01.349
+Yeah, my talk is committing
+
+00:00:01.350 --> 00:00:10.189
+secrets with Git via SOPS mode. So what is SOPS? SOPS
+
+00:00:10.190 --> 00:00:15.069
+came originally from Mozilla, and their acronym was Secret
+
+00:00:15.070 --> 00:00:19.669
+Operations, so S-O-P-S. It's a utility that allows you to
+
+00:00:19.670 --> 00:00:24.269
+encrypt pretty much any file you want and then have the
+
+00:00:24.270 --> 00:00:27.869
+ability to commit it or just share it with somebody that has
+
+00:00:27.870 --> 00:00:32.709
+the ability to decrypt it. I've mostly used it with AWS KMS,
+
+00:00:32.710 --> 00:00:36.829
+but there's a number of encryptions, ways you can encrypt
+
+00:00:36.830 --> 00:00:41.909
+it. Um, so yeah, that's what SOPS mode is. Most of the
+
+00:00:41.910 --> 00:00:45.709
+time I've used it is with application or deployment
+
+00:00:45.710 --> 00:00:48.269
+secrets--decrypt them on the fly during a
+
+00:00:48.270 --> 00:00:52.109
+pipeline run and then use them. We've also
+
+00:00:52.110 --> 00:00:56.549
+been using it for kind of a self-service for engineers
+
+00:00:56.550 --> 00:00:59.629
+to be able to say, if there's an API token that they
+
+00:00:59.630 --> 00:01:03.429
+need either in the container or that gets put
+
+00:01:03.430 --> 00:01:09.109
+somewhere else, that's another way to use SOPS.
+
+00:01:09.110 --> 00:01:13.949
+Just sharing secrets. The tooling, there's
+
+00:01:13.950 --> 00:01:16.814
+quite a bit of tooling for Terraform.
+
+00:01:16.815 --> 00:01:19.090
+You can just decrypt it and then use it
+
+00:01:19.091 --> 00:01:21.309
+however you want. Ansible, it's another
+
+00:01:21.310 --> 00:01:23.648
+place, and then Kubernetes...
+
+00:01:23.649 --> 00:01:26.124
+There'll be links at the very end.
+
+00:01:26.125 --> 00:01:28.982
+There's actually a Nix SOPS too.
+
+00:01:28.983 --> 00:01:30.237
+I think there's a link in the end.
+
+00:01:30.238 --> 00:01:32.830
+So yeah, I'll just show a quick demo.
+
+00:01:32.831 --> 00:01:35.286
+I'll actually show it in Emacs too,
+
+00:01:35.287 --> 00:01:36.983
+but this is the idea.
+
+00:01:36.984 --> 00:01:39.450
+I'm just going to create a file
+
+00:01:39.451 --> 00:01:42.051
+and then I'm going to encrypt it with age.
+
+00:01:42.052 --> 00:01:46.874
+Then we should see the encrypted file
+
+00:01:46.875 --> 00:01:53.189
+be output here. The idea is you can decrypt it
+
+00:01:53.190 --> 00:01:59.349
+there. So my talk was... the reason how my
+
+00:01:59.350 --> 00:02:04.429
+talk came about was there was no mode like this yet.
+
+00:02:04.430 --> 00:02:08.829
+So I didn't want to have to...
+
+00:02:08.830 --> 00:02:10.269
+What you can do is you can pass
+
+00:02:10.270 --> 00:02:13.029
+in the editor variable, set your Emacs,
+
+00:02:13.030 --> 00:02:16.441
+then call the command, but that opens
+
+00:02:16.442 --> 00:02:20.589
+a whole new window. I wanted to live in my
+
+00:02:20.590 --> 00:02:22.994
+current Emacs. So this is that
+
+00:02:22.995 --> 00:02:25.555
+same encrypted file that we just created.
+
+00:02:25.556 --> 00:02:28.566
+I'm going to quickly do C-c C-d.
+
+00:02:28.567 --> 00:02:32.309
+So now we're in the SOPS decrypted mode of the
+
+00:02:32.310 --> 00:02:38.057
+file. I can save this, or make changes and save it.
+
+00:02:38.058 --> 00:02:39.963
+And then it resaves it.
+
+00:02:39.964 --> 00:02:42.918
+I'll just show you that decrypting it
+
+00:02:42.919 --> 00:02:44.629
+shows what we changed.
+
+00:02:44.630 --> 00:02:52.831
+I think that's most of my talk.
+
+00:02:52.832 --> 00:02:55.882
+There's future stuff that I would like to do
+
+00:02:55.883 --> 00:03:00.447
+with this. There's no way to create SOPS files
+
+00:03:00.448 --> 00:03:03.191
+from scratch. And then just putting more
+
+00:03:03.192 --> 00:03:06.069
+documentation around the other ways you can
+
+00:03:06.070 --> 00:03:14.029
+set up your editor to decrypt. But yeah,
+
+00:03:14.030 --> 00:03:19.109
+here's all the links. I haven't uploaded
+
+00:03:19.110 --> 00:03:23.309
+this yet, but yeah, that is my talk.
+
+NOTE Q&A technical issues
+
+00:03:23.310 --> 00:03:27.770
+[Leo] Okay. Thank you, Jonathan.
+
+00:03:27.771 --> 00:03:32.692
+Let me just make sure. So everything you've mentioned
+
+00:03:32.693 --> 00:03:34.887
+about putting stuff available to everyone,
+
+00:03:34.888 --> 00:03:36.469
+we'll make sure that everything
+
+00:03:36.470 --> 00:03:38.513
+ends up on the pad and on the website,
+
+00:03:38.514 --> 00:03:40.850
+so don't worry. Let me see if we can get up
+
+00:03:40.851 --> 00:03:41.753
+the pad for you.
+
+00:03:41.754 --> 00:03:43.284
+Do you have any preference with regards
+
+00:03:43.285 --> 00:03:45.467
+to the questions? Do you want to read them yourself
+
+00:03:45.468 --> 00:03:50.121
+or do you want one of us to read them for you?
+
+00:03:50.122 --> 00:03:53.389
+[Jonathan]: I'm okay with talking first,
+
+00:03:53.390 --> 00:03:57.461
+saying it out loud if there are some.
+
+00:03:57.462 --> 00:04:00.749
+[Leo]: Sure. Let me just find you the pads.
+
+00:04:00.750 --> 00:04:02.757
+Where is it? There you go.
+
+00:04:02.758 --> 00:04:05.409
+Do you have access to the pad on your end?
+
+00:04:05.410 --> 00:04:06.153
+Yep.
+
+00:04:06.154 --> 00:04:09.549
+Okay. Well, if you, since you're already showing
+
+00:04:09.550 --> 00:04:12.389
+your screen, if you can maybe switch the window to the one
+
+00:04:12.390 --> 00:04:13.435
+that is hosting the pad
+
+00:04:13.436 --> 00:04:15.814
+and feel free to start answering questions.
+
+00:04:15.815 --> 00:04:16.262
+Yep.
+
+00:04:16.263 --> 00:04:20.109
+It didn't look like we have any yet, but...
+
+00:04:20.110 --> 00:04:21.942
+Well, there's still coming, don't worry.
+
+00:04:21.943 --> 00:04:29.149
+We're just waiting for people to catch up.
+
+00:04:29.150 --> 00:04:31.533
+I probably need to make it bigger.
+
+00:04:31.534 --> 00:04:34.460
+Is it big enough or do I need to make it bigger?
+
+00:04:34.461 --> 00:04:40.247
+Right now, it's just a black screen on my end, so...
+
+00:04:40.248 --> 00:04:45.269
+Oh, wow. Weird. I can see it on mine, weirdly.
+
+00:04:45.270 --> 00:04:47.536
+Maybe it's just me. Let me check here.
+
+00:04:47.537 --> 00:04:48.989
+No, it seems to be just a
+
+00:04:48.990 --> 00:04:50.069
+black square, even on the stream.
+
+00:04:50.070 --> 00:05:00.927
+Try it again. That change at all? No, it's still black.
+
+00:05:00.928 --> 00:05:02.743
+Can you maybe start switching window
+
+00:05:02.744 --> 00:05:04.069
+and coming back to the one?
+
+00:05:04.070 --> 00:05:08.869
+Otherwise, I'll just stream it on my end.
+
+00:05:08.870 --> 00:05:13.629
+Yeah. All right, I'll do it. I'll take presenter in just a
+
+00:05:13.630 --> 00:05:22.229
+second. Yeah, sorry about that. Thank you.
+
+00:05:22.230 --> 00:05:27.069
+If I can take presenter, and I will share the screen.
+
+00:05:27.070 --> 00:05:36.749
+Sorry, I'm just trying to find a chat. There we go.
+
+00:05:36.750 --> 00:05:39.509
+Normally, I'm not supposed to be on the dev track, which is
+
+00:05:39.510 --> 00:05:42.309
+why I'm confusing all my windows. Give me just a second.
+
+00:05:42.310 --> 00:05:53.709
+Shell, casual. So we are on the dev track, and it is this
+
+00:05:53.710 --> 00:05:54.189
+one.
+
+00:05:54.190 --> 00:06:08.229
+There we go. No, that's not a guide, damn it. Secrets.
+
+00:06:08.230 --> 00:06:10.109
+And...
+
+00:06:10.110 --> 00:06:15.509
+There we go, finally.
+
+00:06:15.510 --> 00:06:19.109
+Ah. Probably just for the delay, do some jazz hands in the
+
+00:06:19.110 --> 00:06:20.889
+background as we did in the start.
+
+00:06:20.890 --> 00:06:23.600
+It feels like Yordle[??] Castle this year,
+
+00:06:23.601 --> 00:06:25.462
+where nothing works properly.
+
+00:06:25.463 --> 00:06:26.269
+That's right.
+
+00:06:26.270 --> 00:06:39.149
+All right. There we go. It's loading up. Obviously.
+
+00:06:39.150 --> 00:06:44.189
+There we go.
+
+00:06:44.190 --> 00:06:49.189
+All right. You should be able to see my screen now. Yep. All
+
+00:06:49.190 --> 00:06:53.789
+right. So, well, we've gone so far. Oh, it did stop. Damn it.
+
+00:06:53.790 --> 00:07:02.989
+Sorry, now it's BBB not behaving properly. That's right.
+
+00:07:02.990 --> 00:07:10.309
+Okay, let me just join, leave and join again. Okay. I just did
+
+00:07:10.310 --> 00:07:11.909
+exactly that for what it's worth.
+
+00:07:11.910 --> 00:07:26.189
+Nothing. All right.
+
+00:07:26.190 --> 00:07:29.029
+All right, I seem to be back. Let me show. And there we go.
+
+00:07:29.030 --> 00:07:36.909
+All right, everything is working. I'm not touching
+
+00:07:36.910 --> 00:07:39.187
+anything. So. Cool.
+
+NOTE Q: Can you describe some potential interactive uses for this within Emacs?
+
+00:07:39.188 --> 00:07:43.629
+Yeah, I'll just start with the top. Can
+
+00:07:43.630 --> 00:07:47.349
+you describe some potential interactive uses for this with
+
+00:07:47.350 --> 00:07:52.789
+an Emacs? Um, I'm, I'm not actually sure what this means.
+
+00:07:52.790 --> 00:08:01.029
+Could we, could you add some more context maybe? Or, um,
+
+00:08:01.030 --> 00:08:03.549
+I think we'll maybe come back to that one. I'm not sure what,
+
+00:08:03.550 --> 00:08:08.531
+uh, potential interactive uses mean, but.
+
+NOTE Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo?
+
+00:08:08.532 --> 00:08:10.429
+Yep. Uh, is this
+
+00:08:10.430 --> 00:08:18.749
+saved in the repo or file as run SOPs here? Oh, encrypted.
+
+00:08:18.750 --> 00:08:24.829
+They're saved as just text files so that you can do
+
+00:08:24.830 --> 00:08:28.103
+SOPs and encrypt like a binary. I think in the end,
+
+00:08:28.104 --> 00:08:30.819
+no matter what, they become just a text file,
+
+00:08:30.820 --> 00:08:34.520
+and then it does the encoding and decoding on the fly
+
+00:08:34.521 --> 00:08:36.753
+when you encrypt or decrypt. So no matter
+
+00:08:36.754 --> 00:08:41.984
+what it's going to be, I think it might just be
+
+00:08:41.985 --> 00:08:44.989
+a JSON in the end. Uh, so yeah.
+
+00:08:44.990 --> 00:08:56.309
+I'll try to, well, I can type out that answer, but all
+
+00:08:56.310 --> 00:08:56.855
+right.
+
+00:08:56.856 --> 00:08:59.429
+Don't worry about typing it out.
+
+00:08:59.430 --> 00:09:00.989
+We are gathering the
+
+00:09:00.990 --> 00:09:04.069
+recordings at the end, you know, even answers that are not
+
+00:09:04.070 --> 00:09:05.782
+provided, we'll type them out eventually.
+
+00:09:05.783 --> 00:09:09.029
+So don't stress too much about the actual answers being written.
+
+00:09:09.030 --> 00:09:12.066
+Okay. All right. So I'll go to the third one.
+
+NOTE Q: How do you decide whether to use SOPS or other solutions such as pass-cli?
+
+00:09:12.067 --> 00:09:13.189
+How do you decide
+
+00:09:13.190 --> 00:09:18.949
+whether to use SOPS or other solutions such as pass-cli?
+
+00:09:18.950 --> 00:09:24.469
+The biggest use case that I've been using it recently is,
+
+00:09:24.470 --> 00:09:29.109
+Bitbucket has a way to... In a repository,
+
+00:09:29.110 --> 00:09:35.829
+you can store non-secrets and secrets. So
+
+00:09:35.830 --> 00:09:39.549
+we're trying to move the secrets into the repository
+
+00:09:39.550 --> 00:09:43.109
+and then allow the engineers to have
+
+00:09:43.110 --> 00:09:48.789
+access to that.
+
+00:09:48.790 --> 00:09:52.389
+Bitbucket variables is a black box. Since the devs can
+
+00:09:52.390 --> 00:09:56.841
+access it, it's manual work for everybody
+
+00:09:56.842 --> 00:10:00.869
+that has to deal with it. Since we're moving
+
+00:10:00.870 --> 00:10:04.339
+SOPS-encrypted files into the repo,
+
+00:10:04.340 --> 00:10:06.830
+now there's that trackability
+
+00:10:06.831 --> 00:10:10.942
+from who made the change and what it changed from,
+
+00:10:10.943 --> 00:10:16.589
+what did it go to, and just things like that.
+
+00:10:16.590 --> 00:10:23.629
+You can use it anytime you'd want to commit them.
+
+NOTE Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?
+
+00:10:23.630 --> 00:10:32.029
+One limitation with GUIX is there's no great way to store
+
+00:10:32.030 --> 00:10:36.869
+secrets in the store. Yeah, I think, sorry... Let me. One
+
+00:10:36.870 --> 00:10:40.189
+limitation of GUIX is there's no way to store secrets in the
+
+00:10:40.190 --> 00:10:42.108
+store. Would SOPS be useful for this?
+
+00:10:42.109 --> 00:10:44.829
+I think so, but I don't know how
+
+00:10:44.830 --> 00:10:48.869
+that package manager works, if it's just like
+
+00:10:48.870 --> 00:10:52.989
+some sort of "you decrypt and then you run the package
+
+00:10:52.990 --> 00:10:56.109
+manager," then yeah, that's a lot of our workflows.
+
+00:10:56.110 --> 00:10:58.989
+If we're doing a deployment and the container
+
+00:10:58.990 --> 00:11:01.629
+needs it, we'll decrypt, put that in
+
+00:11:01.630 --> 00:11:03.829
+whatever place, or source it if it's an
+
+00:11:03.830 --> 00:11:06.629
+environment file for the container, and then
+
+00:11:06.630 --> 00:11:11.982
+pass it in. I think it'd be a great choice there.
+
+NOTE Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext?
+
+00:11:11.983 --> 00:11:17.069
+A wacky question. What happens in sops mode if you
+
+00:11:17.070 --> 00:11:21.709
+encrypt an already encrypted file as if it was plain text?
+
+00:11:21.710 --> 00:11:24.949
+You know, I might have actually accidentally did that
+
+00:11:24.950 --> 00:11:29.709
+today. I didn't actually see the resulting file. But that's
+
+00:11:29.710 --> 00:11:31.709
+a great question.
+
+00:11:31.710 --> 00:11:38.189
+Well, it's technically still binary, isn't it, at the end?
+
+00:11:38.190 --> 00:11:40.389
+You've got binary stuff that is being encrypted
+
+00:11:40.390 --> 00:11:42.949
+again. It's just double encryption.
+
+00:11:42.950 --> 00:11:44.842
+I'm pretty sure it works.
+
+00:11:44.843 --> 00:11:48.869
+Yeah, probably. I'm going to go back up to the
+
+00:11:48.870 --> 00:11:49.438
+top one.
+
+NOTE Q: can you describe some potential interactive uses for this within Emacs
+
+00:11:49.439 --> 00:11:52.469
+Can you describe some potential interactive uses
+
+00:11:52.470 --> 00:11:57.349
+for this within Emacs? Is there some other activity that
+
+00:11:57.350 --> 00:12:01.909
+would enable or it would be enabled with SOPS decryption
+
+00:12:01.910 --> 00:12:12.529
+first, like an IT configuration task.
+
+00:12:12.530 --> 00:12:18.509
+So in the README right now,
+
+00:12:18.510 --> 00:12:22.629
+there is a block and it's called SOPS setup
+
+00:12:22.630 --> 00:12:27.687
+environment. I think it's a hook. Don't quote me.
+
+00:12:27.688 --> 00:12:29.596
+I haven't touched it in a while.
+
+00:12:29.597 --> 00:12:32.051
+I think that hook runs prior to
+
+00:12:32.052 --> 00:12:35.349
+doing any sort of decryption or encryption.
+
+00:12:35.350 --> 00:12:40.654
+So there's an example in the README for ways
+
+00:12:40.655 --> 00:12:44.669
+that you can set up your SOPS mode for AWS.
+
+00:12:44.670 --> 00:12:51.136
+You can set the profile. It was actually
+
+00:12:51.137 --> 00:12:58.829
+a pretty fun thing to add because with that bit of code,
+
+00:12:58.830 --> 00:13:01.199
+I can pretty much go to any one of our repos
+
+00:13:01.200 --> 00:13:04.085
+and decrypt and encrypt on the fly and
+
+00:13:04.086 --> 00:13:06.749
+not have to do much fanfare of like,
+
+00:13:06.750 --> 00:13:09.269
+well, what account or what profile
+
+00:13:09.270 --> 00:13:12.324
+do I need to switch to? I haven't looked at
+
+00:13:12.325 --> 00:13:15.309
+GCP yet or Azure, and that's kind of one of
+
+00:13:15.310 --> 00:13:19.079
+my future things. I need to maybe look into those
+
+00:13:19.080 --> 00:13:21.055
+to see what they look like
+
+00:13:21.056 --> 00:13:23.909
+and give example configs to help users.
+
+00:13:23.910 --> 00:13:28.993
+Hopefully that answered your question.
+
+00:13:28.994 --> 00:13:30.949
+I think so.
+
+00:13:30.950 --> 00:13:34.849
+Continuing the theme of this, both of you being cursed,
+
+00:13:34.850 --> 00:13:36.947
+my X11 decided to crash.
+
+00:13:36.948 --> 00:13:40.201
+Nothing is going well with this one.
+
+00:13:40.202 --> 00:13:44.509
+Have you answered all the questions? I think so.
+
+00:13:44.510 --> 00:13:46.438
+Well, do you have anything else to add, perhaps?
+
+00:13:46.439 --> 00:13:48.327
+Maybe something that wasn't enough
+
+00:13:48.328 --> 00:13:50.109
+to fit in your live presentation?
+
+00:13:50.110 --> 00:13:56.669
+No, I'm excited to see the other talks and I hope everybody
+
+00:13:56.670 --> 00:13:57.811
+has fun too.
+
+00:13:57.812 --> 00:14:03.303
+Yeah, if you have any other questions, just email me.
+
+00:14:03.304 --> 00:14:05.210
+That's all.
+
+00:14:05.211 --> 00:14:07.594
+I got nothing.
+
+00:14:07.595 --> 00:14:08.222
+Okay, cool.
+
+00:14:08.223 --> 00:14:10.469
+[Leo]: Well, thank you so much, Jonathan, for your
+
+00:14:10.470 --> 00:14:12.789
+presentation. It was, sorry for all the technical
+
+00:14:12.790 --> 00:14:14.162
+problems, we tried our best,
+
+00:14:14.163 --> 00:14:15.532
+but I think we still managed to have
+
+00:14:15.533 --> 00:14:17.309
+a live presentation, and we managed to have some
+
+00:14:17.310 --> 00:14:20.137
+questions from the crowd. So, as far as I'm concerned,
+
+00:14:20.138 --> 00:14:21.837
+I think we did a good job.
+
+00:14:21.838 --> 00:14:24.894
+[Jonathan]: Yeah, you stomped it in this whole dev track,
+
+00:14:24.895 --> 00:14:28.349
+I just have to say. It's been a privilege to jump in
+
+00:14:28.350 --> 00:14:31.069
+with it here and there and to just listen to the great
+
+00:14:31.070 --> 00:14:33.180
+conversations.
+
+00:14:33.181 --> 00:14:38.949
+[Leo]: I think next up we have Emacs and McCLIM,
+
+00:14:38.950 --> 00:14:41.904
+which is going to be a similar format to this talk.
+
+00:14:41.905 --> 00:14:44.709
+We'll probably jump right into that in just about two minutes.
+
+00:14:44.710 --> 00:14:47.821
+We'll give you another countdown here. One second.
+
+00:14:47.822 --> 00:14:49.916
+Well, we arranged that and meanwhile,
+
+00:14:49.917 --> 00:14:51.349
+I just want to take my own
+
+00:14:51.350 --> 00:14:55.309
+little humble opportunity to thank you Jonathan, and I
+
+00:14:55.310 --> 00:14:57.085
+guess everybody else.