diff options
-rw-r--r-- | 2024/talks/secrets.md | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/2024/talks/secrets.md b/2024/talks/secrets.md index ebe75187..c6e4eae9 100644 --- a/2024/talks/secrets.md +++ b/2024/talks/secrets.md @@ -19,6 +19,34 @@ About the speaker: My name is Jonathan Otsuka. I have a background in software development and SRE/DevOps. In my free time, I enjoy optimizing my workflow, contributing to open-source projects I use, and engaging in swimming and cycling. +# Discussion + +- Q: can you describe some potential interactive uses for this within + Emacs. Is there some other activity that would be enabled with sops + decryption first. Like an IT or configuration task that requires + authentication + - So in the README right now, there is a block and it's called SOPS setup environment. I think it's a hook. Don't quote me. I haven't touched it in a while. I think that hook runs prior to doing any sort of decryption or encryption. So there's an example in the README for ways that you can set up your SOPS mode for AWS. You can set the profile. It was actually a pretty fun thing to add because with that bit of code, I can pretty much go to any one of our repos and decrypt and encrypt on the fly and not have to do much fanfare of like, well, what account or what profile do I need to switch to? I haven't looked at GCP yet or Azure, and that's kind of one of my future things. I need to maybe look into those to see what they look like and give example configs to help users. Hopefully that answered your question. +- Q:Is this saved in the repo or file as \"run sops here\" or is the + encrypted blob in the git repo? + - A: They're saved as just text files so that you can do SOPs and encrypt like a binary. I think in the end, no matter what, they become just a text file, and then it does the encoding and decoding on the fly when you encrypt or decrypt. So no matter what it's going to be, I think it might just be a JSON in the end. Uh, so yeah. + - Q: Is all the information in the repo, how much would be off the + repo? +- Q: How do you decide whether to use SOPS or other solutions such as + pass-cli? (Perhaps not exactly related to this talk) + - A: +- Q:One limitation with guix (similar package manager to nix) is there + is no great way of storing secrets in the store, would SOPS be + useful for this? + - A: The biggest use case that I've been using it recently is, Bitbucket has a way to... In a repository, you can store non-secrets and secrets. So we're trying to move the secrets into the repository and then allow the engineers to have access to that. Bitbucket variables is a black box. Since the devs can access it, it's manual work for everybody that has to deal with it. Since we're moving SOPS-encrypted files into the repo, now there's that trackability from who made the change and what it changed from, what did it go to, and just things like that. You can use it anytime you'd want to commit them. +- Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this? + - nixos - + [https://github.com/Mic92/sops-nix](https://github.com/Mic92/sops-nix){rel="noreferrer noopener"} + - [https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes){rel="noreferrer noopener"} + - guix - + [https://github.com/fishinthecalculator/sops-guix](https://github.com/fishinthecalculator/sops-guix){rel="noreferrer noopener"} + - I think so, but I don't know how that package manager works, if it's just like some sort of "you decrypt and then you run the package manager," then yeah, that's a lot of our workflows. If we're doing a deployment and the container needs it, we'll decrypt, put that in whatever place, or source it if it's an environment file for the container, and then pass it in. I think it'd be a great choice there. +- Q:Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext? + - A: You know, I might have actually accidentally did that today. I didn't actually see the resulting file. But that's a great question. Well, it's technically still binary, isn't it, at the end? You've got binary stuff that is being encrypted again. It's just double encryption. I'm pretty sure it works. [[!inline pages="internal(2024/info/secrets-after)" raw="yes"]] |