WEBVTT NOTE Introduction 00:00:00.000 --> 00:00:01.349 Yeah, my talk is committing 00:00:01.350 --> 00:00:10.189 secrets with Git via SOPS mode. So what is SOPS? SOPS 00:00:10.190 --> 00:00:15.069 came originally from Mozilla, and their acronym was Secret 00:00:15.070 --> 00:00:19.669 Operations, so S-O-P-S. It's a utility that allows you to 00:00:19.670 --> 00:00:24.269 encrypt pretty much any file you want and then have the 00:00:24.270 --> 00:00:27.869 ability to commit it or just share it with somebody that has 00:00:27.870 --> 00:00:32.709 the ability to decrypt it. I've mostly used it with AWS KMS, 00:00:32.710 --> 00:00:36.829 but there's a number of encryptions, ways you can encrypt 00:00:36.830 --> 00:00:41.909 it. Um, so yeah, that's what SOPS mode is. Most of the 00:00:41.910 --> 00:00:45.709 time I've used it is with application or deployment 00:00:45.710 --> 00:00:48.269 secrets--decrypt them on the fly during a 00:00:48.270 --> 00:00:52.109 pipeline run and then use them. We've also 00:00:52.110 --> 00:00:56.549 been using it for kind of a self-service for engineers 00:00:56.550 --> 00:00:59.629 to be able to say, if there's an API token that they 00:00:59.630 --> 00:01:03.429 need either in the container or that gets put 00:01:03.430 --> 00:01:09.109 somewhere else, that's another way to use SOPS. 00:01:09.110 --> 00:01:13.949 Just sharing secrets. The tooling, there's 00:01:13.950 --> 00:01:16.814 quite a bit of tooling for Terraform. 00:01:16.815 --> 00:01:19.090 You can just decrypt it and then use it 00:01:19.091 --> 00:01:21.309 however you want. Ansible, it's another 00:01:21.310 --> 00:01:23.648 place, and then Kubernetes... 00:01:23.649 --> 00:01:26.124 There'll be links at the very end. 00:01:26.125 --> 00:01:28.982 There's actually a Nix SOPS too. 00:01:28.983 --> 00:01:30.237 I think there's a link in the end. 00:01:30.238 --> 00:01:32.830 So yeah, I'll just show a quick demo. 00:01:32.831 --> 00:01:35.286 I'll actually show it in Emacs too, 00:01:35.287 --> 00:01:36.983 but this is the idea. 00:01:36.984 --> 00:01:39.450 I'm just going to create a file 00:01:39.451 --> 00:01:42.051 and then I'm going to encrypt it with age. 00:01:42.052 --> 00:01:46.874 Then we should see the encrypted file 00:01:46.875 --> 00:01:53.189 be output here. The idea is you can decrypt it 00:01:53.190 --> 00:01:59.349 there. So my talk was... the reason how my 00:01:59.350 --> 00:02:04.429 talk came about was there was no mode like this yet. 00:02:04.430 --> 00:02:08.829 So I didn't want to have to... 00:02:08.830 --> 00:02:10.269 What you can do is you can pass 00:02:10.270 --> 00:02:13.029 in the editor variable, set your Emacs, 00:02:13.030 --> 00:02:16.441 then call the command, but that opens 00:02:16.442 --> 00:02:20.589 a whole new window. I wanted to live in my 00:02:20.590 --> 00:02:22.994 current Emacs. So this is that 00:02:22.995 --> 00:02:25.555 same encrypted file that we just created. 00:02:25.556 --> 00:02:28.566 I'm going to quickly do C-c C-d. 00:02:28.567 --> 00:02:32.309 So now we're in the SOPS decrypted mode of the 00:02:32.310 --> 00:02:38.057 file. I can save this, or make changes and save it. 00:02:38.058 --> 00:02:39.963 And then it resaves it. 00:02:39.964 --> 00:02:42.918 I'll just show you that decrypting it 00:02:42.919 --> 00:02:44.629 shows what we changed. 00:02:44.630 --> 00:02:52.831 I think that's most of my talk. 00:02:52.832 --> 00:02:55.882 There's future stuff that I would like to do 00:02:55.883 --> 00:03:00.447 with this. There's no way to create SOPS files 00:03:00.448 --> 00:03:03.191 from scratch. And then just putting more 00:03:03.192 --> 00:03:06.069 documentation around the other ways you can 00:03:06.070 --> 00:03:14.029 set up your editor to decrypt. But yeah, 00:03:14.030 --> 00:03:19.109 here's all the links. I haven't uploaded 00:03:19.110 --> 00:03:23.309 this yet, but yeah, that is my talk. NOTE Q&A technical issues 00:03:23.310 --> 00:03:27.770 [Leo] Okay. Thank you, Jonathan. 00:03:27.771 --> 00:03:32.692 Let me just make sure. So everything you've mentioned 00:03:32.693 --> 00:03:34.887 about putting stuff available to everyone, 00:03:34.888 --> 00:03:36.469 we'll make sure that everything 00:03:36.470 --> 00:03:38.513 ends up on the pad and on the website, 00:03:38.514 --> 00:03:40.850 so don't worry. Let me see if we can get up 00:03:40.851 --> 00:03:41.753 the pad for you. 00:03:41.754 --> 00:03:43.284 Do you have any preference with regards 00:03:43.285 --> 00:03:45.467 to the questions? Do you want to read them yourself 00:03:45.468 --> 00:03:50.121 or do you want one of us to read them for you? 00:03:50.122 --> 00:03:53.389 [Jonathan]: I'm okay with talking first, 00:03:53.390 --> 00:03:57.461 saying it out loud if there are some. 00:03:57.462 --> 00:04:00.749 [Leo]: Sure. Let me just find you the pads. 00:04:00.750 --> 00:04:02.757 Where is it? There you go. 00:04:02.758 --> 00:04:05.409 Do you have access to the pad on your end? 00:04:05.410 --> 00:04:06.153 Yep. 00:04:06.154 --> 00:04:09.549 Okay. Well, if you, since you're already showing 00:04:09.550 --> 00:04:12.389 your screen, if you can maybe switch the window to the one 00:04:12.390 --> 00:04:13.435 that is hosting the pad 00:04:13.436 --> 00:04:15.814 and feel free to start answering questions. 00:04:15.815 --> 00:04:16.262 Yep. 00:04:16.263 --> 00:04:20.109 It didn't look like we have any yet, but... 00:04:20.110 --> 00:04:21.942 Well, there's still coming, don't worry. 00:04:21.943 --> 00:04:29.149 We're just waiting for people to catch up. 00:04:29.150 --> 00:04:31.533 I probably need to make it bigger. 00:04:31.534 --> 00:04:34.460 Is it big enough or do I need to make it bigger? 00:04:34.461 --> 00:04:40.247 Right now, it's just a black screen on my end, so... 00:04:40.248 --> 00:04:45.269 Oh, wow. Weird. I can see it on mine, weirdly. 00:04:45.270 --> 00:04:47.536 Maybe it's just me. Let me check here. 00:04:47.537 --> 00:04:48.989 No, it seems to be just a 00:04:48.990 --> 00:04:50.069 black square, even on the stream. 00:04:50.070 --> 00:05:00.927 Try it again. That change at all? No, it's still black. 00:05:00.928 --> 00:05:02.743 Can you maybe start switching window 00:05:02.744 --> 00:05:04.069 and coming back to the one? 00:05:04.070 --> 00:05:08.869 Otherwise, I'll just stream it on my end. 00:05:08.870 --> 00:05:13.629 Yeah. All right, I'll do it. I'll take presenter in just a 00:05:13.630 --> 00:05:22.229 second. Yeah, sorry about that. Thank you. 00:05:22.230 --> 00:05:27.069 If I can take presenter, and I will share the screen. 00:05:27.070 --> 00:05:36.749 Sorry, I'm just trying to find a chat. There we go. 00:05:36.750 --> 00:05:39.509 Normally, I'm not supposed to be on the dev track, which is 00:05:39.510 --> 00:05:42.309 why I'm confusing all my windows. Give me just a second. 00:05:42.310 --> 00:05:53.709 Shell, casual. So we are on the dev track, and it is this 00:05:53.710 --> 00:05:54.189 one. 00:05:54.190 --> 00:06:08.229 There we go. No, that's not a guide, damn it. Secrets. 00:06:08.230 --> 00:06:10.109 And... 00:06:10.110 --> 00:06:15.509 There we go, finally. 00:06:15.510 --> 00:06:19.109 Ah. Probably just for the delay, do some jazz hands in the 00:06:19.110 --> 00:06:20.889 background as we did in the start. 00:06:20.890 --> 00:06:23.600 It feels like Yordle[??] Castle this year, 00:06:23.601 --> 00:06:25.462 where nothing works properly. 00:06:25.463 --> 00:06:26.269 That's right. 00:06:26.270 --> 00:06:39.149 All right. There we go. It's loading up. Obviously. 00:06:39.150 --> 00:06:44.189 There we go. 00:06:44.190 --> 00:06:49.189 All right. You should be able to see my screen now. Yep. All 00:06:49.190 --> 00:06:53.789 right. So, well, we've gone so far. Oh, it did stop. Damn it. 00:06:53.790 --> 00:07:02.989 Sorry, now it's BBB not behaving properly. That's right. 00:07:02.990 --> 00:07:10.309 Okay, let me just join, leave and join again. Okay. I just did 00:07:10.310 --> 00:07:11.909 exactly that for what it's worth. 00:07:11.910 --> 00:07:26.189 Nothing. All right. 00:07:26.190 --> 00:07:29.029 All right, I seem to be back. Let me show. And there we go. 00:07:29.030 --> 00:07:36.909 All right, everything is working. I'm not touching 00:07:36.910 --> 00:07:39.187 anything. So. Cool. NOTE Q: Can you describe some potential interactive uses for this within Emacs? 00:07:39.188 --> 00:07:43.629 Yeah, I'll just start with the top. Can 00:07:43.630 --> 00:07:47.349 you describe some potential interactive uses for this with 00:07:47.350 --> 00:07:52.789 an Emacs? Um, I'm, I'm not actually sure what this means. 00:07:52.790 --> 00:08:01.029 Could we, could you add some more context maybe? Or, um, 00:08:01.030 --> 00:08:03.549 I think we'll maybe come back to that one. I'm not sure what, 00:08:03.550 --> 00:08:08.531 uh, potential interactive uses mean, but. NOTE Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo? 00:08:08.532 --> 00:08:10.429 Yep. Uh, is this 00:08:10.430 --> 00:08:18.749 saved in the repo or file as run SOPs here? Oh, encrypted. 00:08:18.750 --> 00:08:24.829 They're saved as just text files so that you can do 00:08:24.830 --> 00:08:28.103 SOPs and encrypt like a binary. I think in the end, 00:08:28.104 --> 00:08:30.819 no matter what, they become just a text file, 00:08:30.820 --> 00:08:34.520 and then it does the encoding and decoding on the fly 00:08:34.521 --> 00:08:36.753 when you encrypt or decrypt. So no matter 00:08:36.754 --> 00:08:41.984 what it's going to be, I think it might just be 00:08:41.985 --> 00:08:44.989 a JSON in the end. Uh, so yeah. 00:08:44.990 --> 00:08:56.309 I'll try to, well, I can type out that answer, but all 00:08:56.310 --> 00:08:56.855 right. 00:08:56.856 --> 00:08:59.429 Don't worry about typing it out. 00:08:59.430 --> 00:09:00.989 We are gathering the 00:09:00.990 --> 00:09:04.069 recordings at the end, you know, even answers that are not 00:09:04.070 --> 00:09:05.782 provided, we'll type them out eventually. 00:09:05.783 --> 00:09:09.029 So don't stress too much about the actual answers being written. 00:09:09.030 --> 00:09:12.066 Okay. All right. So I'll go to the third one. NOTE Q: How do you decide whether to use SOPS or other solutions such as pass-cli? 00:09:12.067 --> 00:09:13.189 How do you decide 00:09:13.190 --> 00:09:18.949 whether to use SOPS or other solutions such as pass-cli? 00:09:18.950 --> 00:09:24.469 The biggest use case that I've been using it recently is, 00:09:24.470 --> 00:09:29.109 Bitbucket has a way to... In a repository, 00:09:29.110 --> 00:09:35.829 you can store non-secrets and secrets. So 00:09:35.830 --> 00:09:39.549 we're trying to move the secrets into the repository 00:09:39.550 --> 00:09:43.109 and then allow the engineers to have 00:09:43.110 --> 00:09:48.789 access to that. 00:09:48.790 --> 00:09:52.389 Bitbucket variables is a black box. Since the devs can 00:09:52.390 --> 00:09:56.841 access it, it's manual work for everybody 00:09:56.842 --> 00:10:00.869 that has to deal with it. Since we're moving 00:10:00.870 --> 00:10:04.339 SOPS-encrypted files into the repo, 00:10:04.340 --> 00:10:06.830 now there's that trackability 00:10:06.831 --> 00:10:10.942 from who made the change and what it changed from, 00:10:10.943 --> 00:10:16.589 what did it go to, and just things like that. 00:10:16.590 --> 00:10:23.629 You can use it anytime you'd want to commit them. NOTE Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this? 00:10:23.630 --> 00:10:32.029 One limitation with GUIX is there's no great way to store 00:10:32.030 --> 00:10:36.869 secrets in the store. Yeah, I think, sorry... Let me. One 00:10:36.870 --> 00:10:40.189 limitation of GUIX is there's no way to store secrets in the 00:10:40.190 --> 00:10:42.108 store. Would SOPS be useful for this? 00:10:42.109 --> 00:10:44.829 I think so, but I don't know how 00:10:44.830 --> 00:10:48.869 that package manager works, if it's just like 00:10:48.870 --> 00:10:52.989 some sort of "you decrypt and then you run the package 00:10:52.990 --> 00:10:56.109 manager," then yeah, that's a lot of our workflows. 00:10:56.110 --> 00:10:58.989 If we're doing a deployment and the container 00:10:58.990 --> 00:11:01.629 needs it, we'll decrypt, put that in 00:11:01.630 --> 00:11:03.829 whatever place, or source it if it's an 00:11:03.830 --> 00:11:06.629 environment file for the container, and then 00:11:06.630 --> 00:11:11.982 pass it in. I think it'd be a great choice there. NOTE Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext? 00:11:11.983 --> 00:11:17.069 A wacky question. What happens in sops mode if you 00:11:17.070 --> 00:11:21.709 encrypt an already encrypted file as if it was plain text? 00:11:21.710 --> 00:11:24.949 You know, I might have actually accidentally did that 00:11:24.950 --> 00:11:29.709 today. I didn't actually see the resulting file. But that's 00:11:29.710 --> 00:11:31.709 a great question. 00:11:31.710 --> 00:11:38.189 Well, it's technically still binary, isn't it, at the end? 00:11:38.190 --> 00:11:40.389 You've got binary stuff that is being encrypted 00:11:40.390 --> 00:11:42.949 again. It's just double encryption. 00:11:42.950 --> 00:11:44.842 I'm pretty sure it works. 00:11:44.843 --> 00:11:48.869 Yeah, probably. I'm going to go back up to the 00:11:48.870 --> 00:11:49.438 top one. NOTE Q: can you describe some potential interactive uses for this within Emacs 00:11:49.439 --> 00:11:52.469 Can you describe some potential interactive uses 00:11:52.470 --> 00:11:57.349 for this within Emacs? Is there some other activity that 00:11:57.350 --> 00:12:01.909 would enable or it would be enabled with SOPS decryption 00:12:01.910 --> 00:12:12.529 first, like an IT configuration task. 00:12:12.530 --> 00:12:18.509 So in the README right now, 00:12:18.510 --> 00:12:22.629 there is a block and it's called SOPS setup 00:12:22.630 --> 00:12:27.687 environment. I think it's a hook. Don't quote me. 00:12:27.688 --> 00:12:29.596 I haven't touched it in a while. 00:12:29.597 --> 00:12:32.051 I think that hook runs prior to 00:12:32.052 --> 00:12:35.349 doing any sort of decryption or encryption. 00:12:35.350 --> 00:12:40.654 So there's an example in the README for ways 00:12:40.655 --> 00:12:44.669 that you can set up your SOPS mode for AWS. 00:12:44.670 --> 00:12:51.136 You can set the profile. It was actually 00:12:51.137 --> 00:12:58.829 a pretty fun thing to add because with that bit of code, 00:12:58.830 --> 00:13:01.199 I can pretty much go to any one of our repos 00:13:01.200 --> 00:13:04.085 and decrypt and encrypt on the fly and 00:13:04.086 --> 00:13:06.749 not have to do much fanfare of like, 00:13:06.750 --> 00:13:09.269 well, what account or what profile 00:13:09.270 --> 00:13:12.324 do I need to switch to? I haven't looked at 00:13:12.325 --> 00:13:15.309 GCP yet or Azure, and that's kind of one of 00:13:15.310 --> 00:13:19.079 my future things. I need to maybe look into those 00:13:19.080 --> 00:13:21.055 to see what they look like 00:13:21.056 --> 00:13:23.909 and give example configs to help users. 00:13:23.910 --> 00:13:28.993 Hopefully that answered your question. 00:13:28.994 --> 00:13:30.949 I think so. 00:13:30.950 --> 00:13:34.849 Continuing the theme of this, both of you being cursed, 00:13:34.850 --> 00:13:36.947 my X11 decided to crash. 00:13:36.948 --> 00:13:40.201 Nothing is going well with this one. 00:13:40.202 --> 00:13:44.509 Have you answered all the questions? I think so. 00:13:44.510 --> 00:13:46.438 Well, do you have anything else to add, perhaps? 00:13:46.439 --> 00:13:48.327 Maybe something that wasn't enough 00:13:48.328 --> 00:13:50.109 to fit in your live presentation? 00:13:50.110 --> 00:13:56.669 No, I'm excited to see the other talks and I hope everybody 00:13:56.670 --> 00:13:57.811 has fun too. 00:13:57.812 --> 00:14:03.303 Yeah, if you have any other questions, just email me. 00:14:03.304 --> 00:14:05.210 That's all. 00:14:05.211 --> 00:14:07.594 I got nothing. 00:14:07.595 --> 00:14:08.222 Okay, cool. 00:14:08.223 --> 00:14:10.469 [Leo]: Well, thank you so much, Jonathan, for your 00:14:10.470 --> 00:14:12.789 presentation. It was, sorry for all the technical 00:14:12.790 --> 00:14:14.162 problems, we tried our best, 00:14:14.163 --> 00:14:15.532 but I think we still managed to have 00:14:15.533 --> 00:14:17.309 a live presentation, and we managed to have some 00:14:17.310 --> 00:14:20.137 questions from the crowd. So, as far as I'm concerned, 00:14:20.138 --> 00:14:21.837 I think we did a good job. 00:14:21.838 --> 00:14:24.894 [Jonathan]: Yeah, you stomped it in this whole dev track, 00:14:24.895 --> 00:14:28.349 I just have to say. It's been a privilege to jump in 00:14:28.350 --> 00:14:31.069 with it here and there and to just listen to the great 00:14:31.070 --> 00:14:33.180 conversations. 00:14:33.181 --> 00:14:38.949 [Leo]: I think next up we have Emacs and McCLIM, 00:14:38.950 --> 00:14:41.904 which is going to be a similar format to this talk. 00:14:41.905 --> 00:14:44.709 We'll probably jump right into that in just about two minutes. 00:14:44.710 --> 00:14:47.821 We'll give you another countdown here. One second. 00:14:47.822 --> 00:14:49.916 Well, we arranged that and meanwhile, 00:14:49.917 --> 00:14:51.349 I just want to take my own 00:14:51.350 --> 00:14:55.309 little humble opportunity to thank you Jonathan, and I 00:14:55.310 --> 00:14:57.085 guess everybody else.