diff options
Diffstat (limited to '')
2 files changed, 751 insertions, 0 deletions
diff --git a/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main--chapters.vtt b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main--chapters.vtt new file mode 100644 index 00000000..01d22a35 --- /dev/null +++ b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main--chapters.vtt @@ -0,0 +1,26 @@ +WEBVTT + + +00:00:00.000 --> 00:03:23.309 +Introduction + +00:03:23.310 --> 00:07:39.187 +Q&A technical issues + +00:07:39.188 --> 00:08:08.531 +Q: Can you describe some potential interactive uses for this within Emacs? + +00:08:08.532 --> 00:09:12.066 +Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo? + +00:09:12.067 --> 00:10:23.629 +Q: How do you decide whether to use SOPS or other solutions such as pass-cli? + +00:10:23.630 --> 00:11:11.982 +Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this? + +00:11:11.983 --> 00:11:49.438 +Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext? + +00:11:49.439 --> 00:14:57.085 +Q: can you describe some potential interactive uses for this within Emacs diff --git a/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt new file mode 100644 index 00000000..fd90802a --- /dev/null +++ b/2024/captions/emacsconf-2024-secrets--committing-secrets-with-git-using-sopsmode--jonathan-otsuka--main.vtt @@ -0,0 +1,725 @@ +WEBVTT + +NOTE Introduction + +00:00:00.000 --> 00:00:01.349 +Yeah, my talk is committing + +00:00:01.350 --> 00:00:10.189 +secrets with Git via SOPS mode. So what is SOPS? SOPS + +00:00:10.190 --> 00:00:15.069 +came originally from Mozilla, and their acronym was Secret + +00:00:15.070 --> 00:00:19.669 +Operations, so S-O-P-S. It's a utility that allows you to + +00:00:19.670 --> 00:00:24.269 +encrypt pretty much any file you want and then have the + +00:00:24.270 --> 00:00:27.869 +ability to commit it or just share it with somebody that has + +00:00:27.870 --> 00:00:32.709 +the ability to decrypt it. I've mostly used it with AWS KMS, + +00:00:32.710 --> 00:00:36.829 +but there's a number of encryptions, ways you can encrypt + +00:00:36.830 --> 00:00:41.909 +it. Um, so yeah, that's what SOPS mode is. Most of the + +00:00:41.910 --> 00:00:45.709 +time I've used it is with application or deployment + +00:00:45.710 --> 00:00:48.269 +secrets--decrypt them on the fly during a + +00:00:48.270 --> 00:00:52.109 +pipeline run and then use them. We've also + +00:00:52.110 --> 00:00:56.549 +been using it for kind of a self-service for engineers + +00:00:56.550 --> 00:00:59.629 +to be able to say, if there's an API token that they + +00:00:59.630 --> 00:01:03.429 +need either in the container or that gets put + +00:01:03.430 --> 00:01:09.109 +somewhere else, that's another way to use SOPS. + +00:01:09.110 --> 00:01:13.949 +Just sharing secrets. The tooling, there's + +00:01:13.950 --> 00:01:16.814 +quite a bit of tooling for Terraform. + +00:01:16.815 --> 00:01:19.090 +You can just decrypt it and then use it + +00:01:19.091 --> 00:01:21.309 +however you want. Ansible, it's another + +00:01:21.310 --> 00:01:23.648 +place, and then Kubernetes... + +00:01:23.649 --> 00:01:26.124 +There'll be links at the very end. + +00:01:26.125 --> 00:01:28.982 +There's actually a Nix SOPS too. + +00:01:28.983 --> 00:01:30.237 +I think there's a link in the end. + +00:01:30.238 --> 00:01:32.830 +So yeah, I'll just show a quick demo. + +00:01:32.831 --> 00:01:35.286 +I'll actually show it in Emacs too, + +00:01:35.287 --> 00:01:36.983 +but this is the idea. + +00:01:36.984 --> 00:01:39.450 +I'm just going to create a file + +00:01:39.451 --> 00:01:42.051 +and then I'm going to encrypt it with age. + +00:01:42.052 --> 00:01:46.874 +Then we should see the encrypted file + +00:01:46.875 --> 00:01:53.189 +be output here. The idea is you can decrypt it + +00:01:53.190 --> 00:01:59.349 +there. So my talk was... the reason how my + +00:01:59.350 --> 00:02:04.429 +talk came about was there was no mode like this yet. + +00:02:04.430 --> 00:02:08.829 +So I didn't want to have to... + +00:02:08.830 --> 00:02:10.269 +What you can do is you can pass + +00:02:10.270 --> 00:02:13.029 +in the editor variable, set your Emacs, + +00:02:13.030 --> 00:02:16.441 +then call the command, but that opens + +00:02:16.442 --> 00:02:20.589 +a whole new window. I wanted to live in my + +00:02:20.590 --> 00:02:22.994 +current Emacs. So this is that + +00:02:22.995 --> 00:02:25.555 +same encrypted file that we just created. + +00:02:25.556 --> 00:02:28.566 +I'm going to quickly do C-c C-d. + +00:02:28.567 --> 00:02:32.309 +So now we're in the SOPS decrypted mode of the + +00:02:32.310 --> 00:02:38.057 +file. I can save this, or make changes and save it. + +00:02:38.058 --> 00:02:39.963 +And then it resaves it. + +00:02:39.964 --> 00:02:42.918 +I'll just show you that decrypting it + +00:02:42.919 --> 00:02:44.629 +shows what we changed. + +00:02:44.630 --> 00:02:52.831 +I think that's most of my talk. + +00:02:52.832 --> 00:02:55.882 +There's future stuff that I would like to do + +00:02:55.883 --> 00:03:00.447 +with this. There's no way to create SOPS files + +00:03:00.448 --> 00:03:03.191 +from scratch. And then just putting more + +00:03:03.192 --> 00:03:06.069 +documentation around the other ways you can + +00:03:06.070 --> 00:03:14.029 +set up your editor to decrypt. But yeah, + +00:03:14.030 --> 00:03:19.109 +here's all the links. I haven't uploaded + +00:03:19.110 --> 00:03:23.309 +this yet, but yeah, that is my talk. + +NOTE Q&A technical issues + +00:03:23.310 --> 00:03:27.770 +[Leo] Okay. Thank you, Jonathan. + +00:03:27.771 --> 00:03:32.692 +Let me just make sure. So everything you've mentioned + +00:03:32.693 --> 00:03:34.887 +about putting stuff available to everyone, + +00:03:34.888 --> 00:03:36.469 +we'll make sure that everything + +00:03:36.470 --> 00:03:38.513 +ends up on the pad and on the website, + +00:03:38.514 --> 00:03:40.850 +so don't worry. Let me see if we can get up + +00:03:40.851 --> 00:03:41.753 +the pad for you. + +00:03:41.754 --> 00:03:43.284 +Do you have any preference with regards + +00:03:43.285 --> 00:03:45.467 +to the questions? Do you want to read them yourself + +00:03:45.468 --> 00:03:50.121 +or do you want one of us to read them for you? + +00:03:50.122 --> 00:03:53.389 +[Jonathan]: I'm okay with talking first, + +00:03:53.390 --> 00:03:57.461 +saying it out loud if there are some. + +00:03:57.462 --> 00:04:00.749 +[Leo]: Sure. Let me just find you the pads. + +00:04:00.750 --> 00:04:02.757 +Where is it? There you go. + +00:04:02.758 --> 00:04:05.409 +Do you have access to the pad on your end? + +00:04:05.410 --> 00:04:06.153 +Yep. + +00:04:06.154 --> 00:04:09.549 +Okay. Well, if you, since you're already showing + +00:04:09.550 --> 00:04:12.389 +your screen, if you can maybe switch the window to the one + +00:04:12.390 --> 00:04:13.435 +that is hosting the pad + +00:04:13.436 --> 00:04:15.814 +and feel free to start answering questions. + +00:04:15.815 --> 00:04:16.262 +Yep. + +00:04:16.263 --> 00:04:20.109 +It didn't look like we have any yet, but... + +00:04:20.110 --> 00:04:21.942 +Well, there's still coming, don't worry. + +00:04:21.943 --> 00:04:29.149 +We're just waiting for people to catch up. + +00:04:29.150 --> 00:04:31.533 +I probably need to make it bigger. + +00:04:31.534 --> 00:04:34.460 +Is it big enough or do I need to make it bigger? + +00:04:34.461 --> 00:04:40.247 +Right now, it's just a black screen on my end, so... + +00:04:40.248 --> 00:04:45.269 +Oh, wow. Weird. I can see it on mine, weirdly. + +00:04:45.270 --> 00:04:47.536 +Maybe it's just me. Let me check here. + +00:04:47.537 --> 00:04:48.989 +No, it seems to be just a + +00:04:48.990 --> 00:04:50.069 +black square, even on the stream. + +00:04:50.070 --> 00:05:00.927 +Try it again. That change at all? No, it's still black. + +00:05:00.928 --> 00:05:02.743 +Can you maybe start switching window + +00:05:02.744 --> 00:05:04.069 +and coming back to the one? + +00:05:04.070 --> 00:05:08.869 +Otherwise, I'll just stream it on my end. + +00:05:08.870 --> 00:05:13.629 +Yeah. All right, I'll do it. I'll take presenter in just a + +00:05:13.630 --> 00:05:22.229 +second. Yeah, sorry about that. Thank you. + +00:05:22.230 --> 00:05:27.069 +If I can take presenter, and I will share the screen. + +00:05:27.070 --> 00:05:36.749 +Sorry, I'm just trying to find a chat. There we go. + +00:05:36.750 --> 00:05:39.509 +Normally, I'm not supposed to be on the dev track, which is + +00:05:39.510 --> 00:05:42.309 +why I'm confusing all my windows. Give me just a second. + +00:05:42.310 --> 00:05:53.709 +Shell, casual. So we are on the dev track, and it is this + +00:05:53.710 --> 00:05:54.189 +one. + +00:05:54.190 --> 00:06:08.229 +There we go. No, that's not a guide, damn it. Secrets. + +00:06:08.230 --> 00:06:10.109 +And... + +00:06:10.110 --> 00:06:15.509 +There we go, finally. + +00:06:15.510 --> 00:06:19.109 +Ah. Probably just for the delay, do some jazz hands in the + +00:06:19.110 --> 00:06:20.889 +background as we did in the start. + +00:06:20.890 --> 00:06:23.600 +It feels like Yordle[??] Castle this year, + +00:06:23.601 --> 00:06:25.462 +where nothing works properly. + +00:06:25.463 --> 00:06:26.269 +That's right. + +00:06:26.270 --> 00:06:39.149 +All right. There we go. It's loading up. Obviously. + +00:06:39.150 --> 00:06:44.189 +There we go. + +00:06:44.190 --> 00:06:49.189 +All right. You should be able to see my screen now. Yep. All + +00:06:49.190 --> 00:06:53.789 +right. So, well, we've gone so far. Oh, it did stop. Damn it. + +00:06:53.790 --> 00:07:02.989 +Sorry, now it's BBB not behaving properly. That's right. + +00:07:02.990 --> 00:07:10.309 +Okay, let me just join, leave and join again. Okay. I just did + +00:07:10.310 --> 00:07:11.909 +exactly that for what it's worth. + +00:07:11.910 --> 00:07:26.189 +Nothing. All right. + +00:07:26.190 --> 00:07:29.029 +All right, I seem to be back. Let me show. And there we go. + +00:07:29.030 --> 00:07:36.909 +All right, everything is working. I'm not touching + +00:07:36.910 --> 00:07:39.187 +anything. So. Cool. + +NOTE Q: Can you describe some potential interactive uses for this within Emacs? + +00:07:39.188 --> 00:07:43.629 +Yeah, I'll just start with the top. Can + +00:07:43.630 --> 00:07:47.349 +you describe some potential interactive uses for this with + +00:07:47.350 --> 00:07:52.789 +an Emacs? Um, I'm, I'm not actually sure what this means. + +00:07:52.790 --> 00:08:01.029 +Could we, could you add some more context maybe? Or, um, + +00:08:01.030 --> 00:08:03.549 +I think we'll maybe come back to that one. I'm not sure what, + +00:08:03.550 --> 00:08:08.531 +uh, potential interactive uses mean, but. + +NOTE Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo? + +00:08:08.532 --> 00:08:10.429 +Yep. Uh, is this + +00:08:10.430 --> 00:08:18.749 +saved in the repo or file as run SOPs here? Oh, encrypted. + +00:08:18.750 --> 00:08:24.829 +They're saved as just text files so that you can do + +00:08:24.830 --> 00:08:28.103 +SOPs and encrypt like a binary. I think in the end, + +00:08:28.104 --> 00:08:30.819 +no matter what, they become just a text file, + +00:08:30.820 --> 00:08:34.520 +and then it does the encoding and decoding on the fly + +00:08:34.521 --> 00:08:36.753 +when you encrypt or decrypt. So no matter + +00:08:36.754 --> 00:08:41.984 +what it's going to be, I think it might just be + +00:08:41.985 --> 00:08:44.989 +a JSON in the end. Uh, so yeah. + +00:08:44.990 --> 00:08:56.309 +I'll try to, well, I can type out that answer, but all + +00:08:56.310 --> 00:08:56.855 +right. + +00:08:56.856 --> 00:08:59.429 +Don't worry about typing it out. + +00:08:59.430 --> 00:09:00.989 +We are gathering the + +00:09:00.990 --> 00:09:04.069 +recordings at the end, you know, even answers that are not + +00:09:04.070 --> 00:09:05.782 +provided, we'll type them out eventually. + +00:09:05.783 --> 00:09:09.029 +So don't stress too much about the actual answers being written. + +00:09:09.030 --> 00:09:12.066 +Okay. All right. So I'll go to the third one. + +NOTE Q: How do you decide whether to use SOPS or other solutions such as pass-cli? + +00:09:12.067 --> 00:09:13.189 +How do you decide + +00:09:13.190 --> 00:09:18.949 +whether to use SOPS or other solutions such as pass-cli? + +00:09:18.950 --> 00:09:24.469 +The biggest use case that I've been using it recently is, + +00:09:24.470 --> 00:09:29.109 +Bitbucket has a way to... In a repository, + +00:09:29.110 --> 00:09:35.829 +you can store non-secrets and secrets. So + +00:09:35.830 --> 00:09:39.549 +we're trying to move the secrets into the repository + +00:09:39.550 --> 00:09:43.109 +and then allow the engineers to have + +00:09:43.110 --> 00:09:48.789 +access to that. + +00:09:48.790 --> 00:09:52.389 +Bitbucket variables is a black box. Since the devs can + +00:09:52.390 --> 00:09:56.841 +access it, it's manual work for everybody + +00:09:56.842 --> 00:10:00.869 +that has to deal with it. Since we're moving + +00:10:00.870 --> 00:10:04.339 +SOPS-encrypted files into the repo, + +00:10:04.340 --> 00:10:06.830 +now there's that trackability + +00:10:06.831 --> 00:10:10.942 +from who made the change and what it changed from, + +00:10:10.943 --> 00:10:16.589 +what did it go to, and just things like that. + +00:10:16.590 --> 00:10:23.629 +You can use it anytime you'd want to commit them. + +NOTE Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this? + +00:10:23.630 --> 00:10:32.029 +One limitation with GUIX is there's no great way to store + +00:10:32.030 --> 00:10:36.869 +secrets in the store. Yeah, I think, sorry... Let me. One + +00:10:36.870 --> 00:10:40.189 +limitation of GUIX is there's no way to store secrets in the + +00:10:40.190 --> 00:10:42.108 +store. Would SOPS be useful for this? + +00:10:42.109 --> 00:10:44.829 +I think so, but I don't know how + +00:10:44.830 --> 00:10:48.869 +that package manager works, if it's just like + +00:10:48.870 --> 00:10:52.989 +some sort of "you decrypt and then you run the package + +00:10:52.990 --> 00:10:56.109 +manager," then yeah, that's a lot of our workflows. + +00:10:56.110 --> 00:10:58.989 +If we're doing a deployment and the container + +00:10:58.990 --> 00:11:01.629 +needs it, we'll decrypt, put that in + +00:11:01.630 --> 00:11:03.829 +whatever place, or source it if it's an + +00:11:03.830 --> 00:11:06.629 +environment file for the container, and then + +00:11:06.630 --> 00:11:11.982 +pass it in. I think it'd be a great choice there. + +NOTE Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext? + +00:11:11.983 --> 00:11:17.069 +A wacky question. What happens in sops mode if you + +00:11:17.070 --> 00:11:21.709 +encrypt an already encrypted file as if it was plain text? + +00:11:21.710 --> 00:11:24.949 +You know, I might have actually accidentally did that + +00:11:24.950 --> 00:11:29.709 +today. I didn't actually see the resulting file. But that's + +00:11:29.710 --> 00:11:31.709 +a great question. + +00:11:31.710 --> 00:11:38.189 +Well, it's technically still binary, isn't it, at the end? + +00:11:38.190 --> 00:11:40.389 +You've got binary stuff that is being encrypted + +00:11:40.390 --> 00:11:42.949 +again. It's just double encryption. + +00:11:42.950 --> 00:11:44.842 +I'm pretty sure it works. + +00:11:44.843 --> 00:11:48.869 +Yeah, probably. I'm going to go back up to the + +00:11:48.870 --> 00:11:49.438 +top one. + +NOTE Q: can you describe some potential interactive uses for this within Emacs + +00:11:49.439 --> 00:11:52.469 +Can you describe some potential interactive uses + +00:11:52.470 --> 00:11:57.349 +for this within Emacs? Is there some other activity that + +00:11:57.350 --> 00:12:01.909 +would enable or it would be enabled with SOPS decryption + +00:12:01.910 --> 00:12:12.529 +first, like an IT configuration task. + +00:12:12.530 --> 00:12:18.509 +So in the README right now, + +00:12:18.510 --> 00:12:22.629 +there is a block and it's called SOPS setup + +00:12:22.630 --> 00:12:27.687 +environment. I think it's a hook. Don't quote me. + +00:12:27.688 --> 00:12:29.596 +I haven't touched it in a while. + +00:12:29.597 --> 00:12:32.051 +I think that hook runs prior to + +00:12:32.052 --> 00:12:35.349 +doing any sort of decryption or encryption. + +00:12:35.350 --> 00:12:40.654 +So there's an example in the README for ways + +00:12:40.655 --> 00:12:44.669 +that you can set up your SOPS mode for AWS. + +00:12:44.670 --> 00:12:51.136 +You can set the profile. It was actually + +00:12:51.137 --> 00:12:58.829 +a pretty fun thing to add because with that bit of code, + +00:12:58.830 --> 00:13:01.199 +I can pretty much go to any one of our repos + +00:13:01.200 --> 00:13:04.085 +and decrypt and encrypt on the fly and + +00:13:04.086 --> 00:13:06.749 +not have to do much fanfare of like, + +00:13:06.750 --> 00:13:09.269 +well, what account or what profile + +00:13:09.270 --> 00:13:12.324 +do I need to switch to? I haven't looked at + +00:13:12.325 --> 00:13:15.309 +GCP yet or Azure, and that's kind of one of + +00:13:15.310 --> 00:13:19.079 +my future things. I need to maybe look into those + +00:13:19.080 --> 00:13:21.055 +to see what they look like + +00:13:21.056 --> 00:13:23.909 +and give example configs to help users. + +00:13:23.910 --> 00:13:28.993 +Hopefully that answered your question. + +00:13:28.994 --> 00:13:30.949 +I think so. + +00:13:30.950 --> 00:13:34.849 +Continuing the theme of this, both of you being cursed, + +00:13:34.850 --> 00:13:36.947 +my X11 decided to crash. + +00:13:36.948 --> 00:13:40.201 +Nothing is going well with this one. + +00:13:40.202 --> 00:13:44.509 +Have you answered all the questions? I think so. + +00:13:44.510 --> 00:13:46.438 +Well, do you have anything else to add, perhaps? + +00:13:46.439 --> 00:13:48.327 +Maybe something that wasn't enough + +00:13:48.328 --> 00:13:50.109 +to fit in your live presentation? + +00:13:50.110 --> 00:13:56.669 +No, I'm excited to see the other talks and I hope everybody + +00:13:56.670 --> 00:13:57.811 +has fun too. + +00:13:57.812 --> 00:14:03.303 +Yeah, if you have any other questions, just email me. + +00:14:03.304 --> 00:14:05.210 +That's all. + +00:14:05.211 --> 00:14:07.594 +I got nothing. + +00:14:07.595 --> 00:14:08.222 +Okay, cool. + +00:14:08.223 --> 00:14:10.469 +[Leo]: Well, thank you so much, Jonathan, for your + +00:14:10.470 --> 00:14:12.789 +presentation. It was, sorry for all the technical + +00:14:12.790 --> 00:14:14.162 +problems, we tried our best, + +00:14:14.163 --> 00:14:15.532 +but I think we still managed to have + +00:14:15.533 --> 00:14:17.309 +a live presentation, and we managed to have some + +00:14:17.310 --> 00:14:20.137 +questions from the crowd. So, as far as I'm concerned, + +00:14:20.138 --> 00:14:21.837 +I think we did a good job. + +00:14:21.838 --> 00:14:24.894 +[Jonathan]: Yeah, you stomped it in this whole dev track, + +00:14:24.895 --> 00:14:28.349 +I just have to say. It's been a privilege to jump in + +00:14:28.350 --> 00:14:31.069 +with it here and there and to just listen to the great + +00:14:31.070 --> 00:14:33.180 +conversations. + +00:14:33.181 --> 00:14:38.949 +[Leo]: I think next up we have Emacs and McCLIM, + +00:14:38.950 --> 00:14:41.904 +which is going to be a similar format to this talk. + +00:14:41.905 --> 00:14:44.709 +We'll probably jump right into that in just about two minutes. + +00:14:44.710 --> 00:14:47.821 +We'll give you another countdown here. One second. + +00:14:47.822 --> 00:14:49.916 +Well, we arranged that and meanwhile, + +00:14:49.917 --> 00:14:51.349 +I just want to take my own + +00:14:51.350 --> 00:14:55.309 +little humble opportunity to thank you Jonathan, and I + +00:14:55.310 --> 00:14:57.085 +guess everybody else. |