sops 加密文件编辑器介绍

发布时间: 更新时间: 总字数:1509 阅读时间:4m 作者: IP上海 分享 网址

sops是一个加密文件的编辑器,支持YAMLJSONENVINIBINARY格式,用AWS KMS、GCP KMS、Azure Key Vault、age和PGP进行加密。本文将重点介绍如何安装、使用。

介绍

  • sops是一款管理私密信息的、简单且灵活的工具。

安装

https://github.com/mozilla/sops/releases 下载二进制可执行文件进行安装

mv sops-v3.7.3.darwin.amd64 sops
chmod +x sops
mv sops /usr/local/bin
sops --help

使用

help

sops--help
$ sops --help
NAME:
   sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support

USAGE:
   sops is an editor of encrypted files that supports AWS KMS and PGP

   To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
   in the -k flag or in the SOPS_KMS_ARN environment variable.
   (you need valid credentials in ~/.aws/credentials or in your env)

   To encrypt or decrypt a document with GCP KMS, specify the
   GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
   environment variable.
   (you need to setup google application default credentials. See
    https://developers.google.com/identity/protocols/application-default-credentials)


   To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
   Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev
      where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
   environment variable.
   (you need to enable the Transit Secrets Engine in Vault. See
      https://www.vaultproject.io/docs/secrets/transit/index.html)

   To encrypt or decrypt a document with Azure Key Vault, specify the
   Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
   environment variable.
   (authentication is based on environment variables, see
    https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
    The user/sp needs the key/encrypt and key/decrypt permissions)

   To encrypt or decrypt using age, specify the recipient in the -a flag, or
   in the SOPS_AGE_RECIPIENTS environment variable.

   To encrypt or decrypt using PGP, specify the PGP fingerprint in the
   -p flag or in the SOPS_PGP_FP environment variable.

   To use multiple KMS or PGP keys, separate them by commas. For example:
       $ sops -p "10F2...0A, 85D...B3F21" file.yaml

   The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
   or decrypting existing documents can be done with "sops file" or
   "sops -d file" respectively. The KMS and PGP keys listed in the encrypted
   documents are used then. To manage master keys in existing documents, use
   the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.

   To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.

   To select a different editor than the default (vim), set EDITOR.

   For more information, see the README at github.com/mozilla/sops

VERSION:
   3.7.3

AUTHORS:
   AJ Bahnken <ajvb@mozilla.com>
   Adrian Utrilla <adrianutrilla@gmail.com>
   Julien Vehent <jvehent@mozilla.com>

COMMANDS:
     exec-env    execute a command with decrypted values inserted into the environment
     exec-file   execute a command with the decrypted contents as a temporary file
     publish     Publish sops file or directory to a configured destination
     keyservice  start a SOPS key service server
     groups      modify the groups on a SOPS file
     updatekeys  update the keys of a SOPS file using the config file
     help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --decrypt, -d                            decrypt a file and output the result to stdout
   --encrypt, -e                            encrypt a file and output the result to stdout
   --rotate, -r                             generate a new data encryption key and reencrypt all values with the new key
   --kms value, -k value                    comma separated list of KMS ARNs [$SOPS_KMS_ARN]
   --aws-profile value                      The AWS profile to use for requests to AWS
   --gcp-kms value                          comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
   --azure-kv value                         comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
   --hc-vault-transit value                 comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
   --pgp value, -p value                    comma separated list of PGP fingerprints [$SOPS_PGP_FP]
   --age value, -a value                    comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
   --in-place, -i                           write output back to the same file instead of stdout
   --extract value                          extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '["somekey"][0]'
   --input-type value                       currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type
   --output-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format
   --show-master-keys, -s                   display master encryption keys in the file during editing
   --add-gcp-kms value                      add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file
   --rm-gcp-kms value                       remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file
   --add-azure-kv value                     add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file
   --rm-azure-kv value                      remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file
   --add-kms value                          add the provided comma-separated list of KMS ARNs to the list of master keys on the given file
   --rm-kms value                           remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file
   --add-hc-vault-transit value             add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --rm-hc-vault-transit value              remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --add-age value                          add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file
   --rm-age value                           remove the provided comma-separated list of age recipients from the list of master keys on the given file
   --add-pgp value                          add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file
   --rm-pgp value                           remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file
   --ignore-mac                             ignore Message Authentication Code during decryption
   --unencrypted-suffix value               override the unencrypted key suffix.
   --encrypted-suffix value                 override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.
   --unencrypted-regex value                set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.
   --encrypted-regex value                  set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
   --config value                           path to sops' config file. If set, sops will not search for the config file recursively.
   --encryption-context value               comma separated list of KMS encryption context key:value pairs
   --set value                              set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
   --shamir-secret-sharing-threshold value  the number of master keys required to retrieve the data key with shamir (default: 0)
   --verbose                                Enable verbose logging output
   --output value                           Save the output after encryption or decryption to the file specified
   --enable-local-keyservice                use local key service
   --keyservice value                       Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000
   --help, -h                               show help
   --version, -v                            print the version

使用PGP key加密

  • 什么是 GPG 以及如何生成参考 GPG 使用介绍
  • 配置 sops 使用的 GPG 命令,默认为 gpg
$ ~/.bashrc
SOPS_GPG_EXEC = 'gpg'
  • sops 通过 .sops.yaml 文件 .sops.yaml 配置加密规则,下面示例是 password 的信息加密,而且指定 gpg 的 fingerprint
$ cat << EOF > .sops.yaml
creation_rules:
  - encrypted_regex: '^(pwd|password)$'
    pgp: 'B5A1B728A2FD170FE0E6C4E2D6B71988603A67D2'
EOF
  • secrets.yaml 要加密的文件
$ cat << EOF > secrets.yaml
pwd: Pwd
password: Password
EOF
  • 加密
$ sops -e secrets.yaml
[PGP]	 WARN[0000] Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.
pwd: ENC[AES256_GCM,data:RC+j,iv:HWFwKyq2ijBFA3txl+LXtuHqvMlnbSs/sRve7Cty8q4=,tag:G/nzBqCJQNowhLMDjD0GIw==,type:str]
password: ENC[AES256_GCM,data:Sca2XL19AH0=,iv:rZkseHfZ5MyXtV54KJ21JZQqDstd/BN1UNdU1ykPggY=,tag:BV3EXRMWkapjTU4sQ6r7NQ==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-01-01T05:47:57Z"
    mac: ENC[AES256_GCM,data:yXUvvTofaGlyCGpGW7D9T4+FKwTv0bBNmJBqrhHQ01w57Tb0Ht6+8JwMbk/DHf1N7kewSronn6GZ0XnaBtqpp4DX69Q9VKTmE9kcNd7hSXjvHNUGNKoIxXsfhMVRQiBInGXjpFbuSvOHyrEYztlJ3xtRNVAMudC8FVverW42IEM=,iv:w9Ui7DXky1bTyk8X1t+Riwu4UCVctePYHJKuIejEWqk=,tag:axyu4boweQ5lrMudRGTH4g==,type:str]
    pgp:
        - created_at: "2023-01-01T05:47:54Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

            wcFMA5mU9xa5BTF6ARAAia4VyI5QsX8dnKJt3lq/HJiTcwtVfqGjEZXSJE+AjxwS
            f7IbuI/HeEOE5qeUIN8SEK1bYFmKIFxR5jMf0Azyf1+GRq5Fo65f4n22FD+EE0n2
            TcI54YtEgty+UG3nZgDrZ4fOc/xRV6veF0pverdVCkR8tAAEYHDcUt4cKFs7CgTf
            eZ5R70wJMrRGblLFG0BwK5lOcATFtEJD/66Gmz+1Fm3LWKo3Roo4fpRRzsjN34VJ
            veFHHizgTR5z+t0e9/eX3oh9l/utBUDdt3uNK51+PenYpFH2B/trPS7bvG5YfWW1
            yGbfkbzuANwpu1AJCihBtwHpfB6SOEMljAC2nKnedFdf3vO6tmM4QnPXb3qB5UhG
            SEMmAokPopFUrcJyGAKolBC6OHQBt7nklkEzWlMX3tZ0n2I8Fkbvg0rsD8pKxEfV
            GzurzXqbnauSMqtqbOrkZ97SoJPSuKmPHoi9DcxsOhZ67Mms9StiuTfMMSybib45
            i5iBaKFo2rF/YvucOKEuAHNZrinqf45S30h5MWYM9/QUB6tmOF9aHFC+2FW0DCT+
            FMp6Elv9RlacSoxkY5hRdW3qSFsMPQnSQx1dNxvPiUt5myTItlJyP0+OfWhdtOQf
            ZG24bH5sZKE/C/fuW0s1CNgEmn7vGTZ7Go9a23f4D5F+mX0lLmjho2tPoMQP11zS
            UQHQxvkbD9P2z12eYDBfbqUInpbx+W8DO4tHRmGS1lnupB+z5uzidHw81U7uESEF
            YhjdM0mPIybZqdpQ+7RXOa8kVTWrsRid6+8i97rjvbUIEg==
            =xPpO
            -----END PGP MESSAGE-----
          fp: B5A1B728A2FD170FE0E6C4E2D6B71988603A67D2
    encrypted_regex: ^(pwd|password)$
    version: 3.7.3

示例

age 文件加密

age 是是一个简单、现代、安全的文件加密工具。

  • 安装
# mac
brew install age

# ubuntu 22+
apt install age
  • 加密
sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
Home Archives Categories Tags Statistics