sops
sops copied to clipboard
getsops
Why do you recommend to specify multiple KMS keys?
Background
Thank you for developing this great tool! Could you answer why you recommend to use multiple master keys in the IAM console in different regions? When I read the README, I found the following explanations.
If you're using AWS KMS, create one or multiple master keys in the IAM console and export them, comma separated, in the SOPS_KMS_ARN env variable. It is recommended to use at least two master keys in different regions.
The document is added in 2015. So, I assume that we didn't have keys we can use from multiple AWS regions. Now, we have Multi-Region keys in AWS KMS and I feel this is better than specifying multiple keys.
AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
What I want to achieve
- Understand the reason why we recommend to specify multiple KMS keys
