| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 | [[!meta title="Committing secrets with git using sops-mode"]]
[[!meta copyright="Copyright © 2024 Jonathan Otsuka"]]
[[!inline pages="internal(2024/info/secrets-nav)" raw="yes"]]
<!-- Initially generated with emacsconf-publish-talk-page and then left alone for manual editing -->
<!-- You can manually edit this file to update the abstract, add links, etc. --->
# Committing secrets with git using sops-mode
Jonathan Otsuka - Pronunciation: O-tsu-ka, <https://github.com/djgoku/sops>, <mailto:pitas.axioms0c@icloud.com>
[[!inline pages="internal(2024/info/secrets-before)" raw="yes"]]
This is my first Emacs mode, and it was primarily driven by necessity. The process was manual prior. I wanted to encrypt and decrypt all operations within my current Emacs instance. Currently, I have some notes on how to quickly decrypt and encrypt using AWS KMS. However, it works seamlessly with GPG. I need to add some notes on the age and GCP KMS.
<https://github.com/djgoku/sops>
About the speaker:
My name is Jonathan Otsuka. I have a background in software development and SRE/DevOps. In my free time, I enjoy optimizing my workflow, contributing to open-source projects I use, and engaging in swimming and cycling.
# Discussion
-   Q: can you describe some potential interactive uses for this within
    Emacs. Is there some other activity that would be enabled with sops
    decryption first. Like an IT or configuration task that requires
    authentication 
	- So in the README right now, there is a block and it's called SOPS setup environment. I think it's a hook. Don't quote me. I haven't touched it in a while. I think that hook runs prior to doing any sort of decryption or encryption. So there's an example in the README for ways that you can set up your SOPS mode for AWS. You can set the profile. It was actually a pretty fun thing to add because with that bit of code, I can pretty much go to any one of our repos and decrypt and encrypt on the fly and not have to do much fanfare of like, well, what account or what profile do I need to switch to? I haven't looked at GCP yet or Azure, and that's kind of one of my future things. I need to maybe look into those to see what they look like and give example configs to help users. Hopefully that answered your question.
-   Q:Is this saved in the repo or file as \"run sops here\" or is the
    encrypted blob in the git repo?
    -   A: They're saved as just text files so that you can do SOPs and encrypt like a binary. I think in the end, no matter what, they become just a text file, and then it does the encoding and decoding on the fly when you encrypt or decrypt. So no matter what it's going to be, I think it might just be a JSON in the end. Uh, so yeah.
    -   Q: Is all the information in the repo, how much would be off the
        repo?
-   Q: How do you decide whether to use SOPS or other solutions such as
    pass-cli? (Perhaps not exactly related to this talk)
    -   A:
-   Q:One limitation with guix (similar package manager to nix) is there
    is no great way of storing secrets in the store, would SOPS be
    useful for this?
    -   A: The biggest use case that I've been using it recently is, Bitbucket has a way to... In a repository, you can store non-secrets and secrets. So we're trying to move the secrets into the repository and then allow the engineers to have access to that. Bitbucket variables is a black box. Since the devs can access it, it's manual work for everybody that has to deal with it. Since we're moving SOPS-encrypted files into the repo, now there's that trackability from who made the change and what it changed from, what did it go to, and just things like that. You can use it anytime you'd want to commit them.
- Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?
    -   nixos -
        [https://github.com/Mic92/sops-nix](https://github.com/Mic92/sops-nix)
        -   [https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes)
    -   guix -
        [https://github.com/fishinthecalculator/sops-guix](https://github.com/fishinthecalculator/sops-guix)
	- I think so, but I don't know how that package manager works, if it's just like some sort of "you decrypt and then you run the package manager," then yeah, that's a lot of our workflows. If we're doing a deployment and the container needs it, we'll decrypt, put that in whatever place, or source it if it's an environment file for the container, and then pass it in. I think it'd be a great choice there.
-   Q:Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext?
    -   A: You know, I might have actually accidentally did that today. I didn't actually see the resulting file. But that's a great question. Well, it's technically still binary, isn't it, at the end? You've got binary stuff that is being encrypted again. It's just double encryption. I'm pretty sure it works.
[[!inline pages="internal(2024/info/secrets-after)" raw="yes"]]
[[!inline pages="internal(2024/info/secrets-nav)" raw="yes"]]
 |