sops
是一个加密文件的编辑器,支持YAML
、JSON
、ENV
、INI
和BINARY
格式,用AWS KMS、GCP KMS、Azure Key Vault、age和PGP进行加密。本文将重点介绍如何安装、使用。
介绍
安装
在 https://github.com/mozilla/sops/releases 下载二进制可执行文件进行安装
mv sops-v3.7.3.darwin.amd64 sops
chmod +x sops
mv sops /usr/local/bin
sops --help
使用
help
$ sops --help
NAME:
sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
USAGE:
sops is an editor of encrypted files that supports AWS KMS and PGP
To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
in the -k flag or in the SOPS_KMS_ARN environment variable.
(you need valid credentials in ~/.aws/credentials or in your env)
To encrypt or decrypt a document with GCP KMS, specify the
GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
environment variable.
(you need to setup google application default credentials. See
https://developers.google.com/identity/protocols/application-default-credentials)
To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev
where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
environment variable.
(you need to enable the Transit Secrets Engine in Vault. See
https://www.vaultproject.io/docs/secrets/transit/index.html)
To encrypt or decrypt a document with Azure Key Vault, specify the
Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
environment variable.
(authentication is based on environment variables, see
https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
The user/sp needs the key/encrypt and key/decrypt permissions)
To encrypt or decrypt using age, specify the recipient in the -a flag, or
in the SOPS_AGE_RECIPIENTS environment variable.
To encrypt or decrypt using PGP, specify the PGP fingerprint in the
-p flag or in the SOPS_PGP_FP environment variable.
To use multiple KMS or PGP keys, separate them by commas. For example:
$ sops -p "10F2...0A, 85D...B3F21" file.yaml
The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
or decrypting existing documents can be done with "sops file" or
"sops -d file" respectively. The KMS and PGP keys listed in the encrypted
documents are used then. To manage master keys in existing documents, use
the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
To select a different editor than the default (vim), set EDITOR.
For more information, see the README at github.com/mozilla/sops
VERSION:
3.7.3
AUTHORS:
AJ Bahnken <ajvb@mozilla.com>
Adrian Utrilla <adrianutrilla@gmail.com>
Julien Vehent <jvehent@mozilla.com>
COMMANDS:
exec-env execute a command with decrypted values inserted into the environment
exec-file execute a command with the decrypted contents as a temporary file
publish Publish sops file or directory to a configured destination
keyservice start a SOPS key service server
groups modify the groups on a SOPS file
updatekeys update the keys of a SOPS file using the config file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--decrypt, -d decrypt a file and output the result to stdout
--encrypt, -e encrypt a file and output the result to stdout
--rotate, -r generate a new data encryption key and reencrypt all values with the new key
--kms value, -k value comma separated list of KMS ARNs [$SOPS_KMS_ARN]
--aws-profile value The AWS profile to use for requests to AWS
--gcp-kms value comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
--azure-kv value comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
--hc-vault-transit value comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
--pgp value, -p value comma separated list of PGP fingerprints [$SOPS_PGP_FP]
--age value, -a value comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
--in-place, -i write output back to the same file instead of stdout
--extract value extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '["somekey"][0]'
--input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type
--output-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format
--show-master-keys, -s display master encryption keys in the file during editing
--add-gcp-kms value add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file
--rm-gcp-kms value remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file
--add-azure-kv value add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file
--rm-azure-kv value remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file
--add-kms value add the provided comma-separated list of KMS ARNs to the list of master keys on the given file
--rm-kms value remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file
--add-hc-vault-transit value add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--rm-hc-vault-transit value remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--add-age value add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file
--rm-age value remove the provided comma-separated list of age recipients from the list of master keys on the given file
--add-pgp value add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file
--rm-pgp value remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file
--ignore-mac ignore Message Authentication Code during decryption
--unencrypted-suffix value override the unencrypted key suffix.
--encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.
--unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.
--encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
--config value path to sops' config file. If set, sops will not search for the config file recursively.
--encryption-context value comma separated list of KMS encryption context key:value pairs
--set value set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
--shamir-secret-sharing-threshold value the number of master keys required to retrieve the data key with shamir (default: 0)
--verbose Enable verbose logging output
--output value Save the output after encryption or decryption to the file specified
--enable-local-keyservice use local key service
--keyservice value Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000
--help, -h show help
--version, -v print the version
使用PGP key加密
- 什么是 GPG 以及如何生成参考 GPG 使用介绍
- 配置 sops 使用的 GPG 命令,默认为 gpg
$ ~/.bashrc
SOPS_GPG_EXEC = 'gpg'
- sops 通过
.sops.yaml
文件 .sops.yaml
配置加密规则,下面示例是 password 的信息加密,而且指定 gpg 的 fingerprint
$ cat << EOF > .sops.yaml
creation_rules:
- encrypted_regex: '^(pwd|password)$'
pgp: 'B5A1B728A2FD170FE0E6C4E2D6B71988603A67D2'
EOF
$ cat << EOF > secrets.yaml
pwd: Pwd
password: Password
EOF
$ sops -e secrets.yaml
[PGP] WARN[0000] Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.
pwd: ENC[AES256_GCM,data:RC+j,iv:HWFwKyq2ijBFA3txl+LXtuHqvMlnbSs/sRve7Cty8q4=,tag:G/nzBqCJQNowhLMDjD0GIw==,type:str]
password: ENC[AES256_GCM,data:Sca2XL19AH0=,iv:rZkseHfZ5MyXtV54KJ21JZQqDstd/BN1UNdU1ykPggY=,tag:BV3EXRMWkapjTU4sQ6r7NQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-01-01T05:47:57Z"
mac: ENC[AES256_GCM,data:yXUvvTofaGlyCGpGW7D9T4+FKwTv0bBNmJBqrhHQ01w57Tb0Ht6+8JwMbk/DHf1N7kewSronn6GZ0XnaBtqpp4DX69Q9VKTmE9kcNd7hSXjvHNUGNKoIxXsfhMVRQiBInGXjpFbuSvOHyrEYztlJ3xtRNVAMudC8FVverW42IEM=,iv:w9Ui7DXky1bTyk8X1t+Riwu4UCVctePYHJKuIejEWqk=,tag:axyu4boweQ5lrMudRGTH4g==,type:str]
pgp:
- created_at: "2023-01-01T05:47:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA5mU9xa5BTF6ARAAia4VyI5QsX8dnKJt3lq/HJiTcwtVfqGjEZXSJE+AjxwS
f7IbuI/HeEOE5qeUIN8SEK1bYFmKIFxR5jMf0Azyf1+GRq5Fo65f4n22FD+EE0n2
TcI54YtEgty+UG3nZgDrZ4fOc/xRV6veF0pverdVCkR8tAAEYHDcUt4cKFs7CgTf
eZ5R70wJMrRGblLFG0BwK5lOcATFtEJD/66Gmz+1Fm3LWKo3Roo4fpRRzsjN34VJ
veFHHizgTR5z+t0e9/eX3oh9l/utBUDdt3uNK51+PenYpFH2B/trPS7bvG5YfWW1
yGbfkbzuANwpu1AJCihBtwHpfB6SOEMljAC2nKnedFdf3vO6tmM4QnPXb3qB5UhG
SEMmAokPopFUrcJyGAKolBC6OHQBt7nklkEzWlMX3tZ0n2I8Fkbvg0rsD8pKxEfV
GzurzXqbnauSMqtqbOrkZ97SoJPSuKmPHoi9DcxsOhZ67Mms9StiuTfMMSybib45
i5iBaKFo2rF/YvucOKEuAHNZrinqf45S30h5MWYM9/QUB6tmOF9aHFC+2FW0DCT+
FMp6Elv9RlacSoxkY5hRdW3qSFsMPQnSQx1dNxvPiUt5myTItlJyP0+OfWhdtOQf
ZG24bH5sZKE/C/fuW0s1CNgEmn7vGTZ7Go9a23f4D5F+mX0lLmjho2tPoMQP11zS
UQHQxvkbD9P2z12eYDBfbqUInpbx+W8DO4tHRmGS1lnupB+z5uzidHw81U7uESEF
YhjdM0mPIybZqdpQ+7RXOa8kVTWrsRid6+8i97rjvbUIEg==
=xPpO
-----END PGP MESSAGE-----
fp: B5A1B728A2FD170FE0E6C4E2D6B71988603A67D2
encrypted_regex: ^(pwd|password)$
version: 3.7.3
示例
age 文件加密
age 是是一个简单、现代、安全的文件加密工具。
# mac
brew install age
# ubuntu 22+
apt install age
sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml