sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Allow `sops updatekeys` to work on a directory tree

Open thewilli opened this issue 3 years ago • 3 comments

If #545 was finished, it would be really great for sops updatekeys to work on a directory tree.

Usecase: There is a .sops.yaml file in a repository with the keys of all team members. Whenever team members come or go, it would be easy to automate or just simplify the process of granting or revoking access to encrypted content.

thewilli avatar Jun 02 '22 16:06 thewilli

Currently I work around this by parsing the .sops.yaml manually and grep -Eing matching files to updatekeys against however it would be really good if this was implemented.

CryoMyst avatar May 27 '24 02:05 CryoMyst

Since there is no fixed file pattern of how SOPS encrypted files are named, this is kind of hard to implement. It's generally best if you create a shell script which uses find to search for the pattern you are using in your project and then use xargs to run sops updatekeys on each of these files.

Using the patterns from .sops.yaml only works if there is no fallback rule (which all .sops.yaml files I'm using have, for example).

felixfontein avatar Jun 02 '24 10:06 felixfontein

It's generally best if you create a shell script which uses find to search for the pattern you are using in your project and then use xargs to run sops updatekeys on each of these files.

For example, I name my SOPS-encrypted files *.sops.*, which makes updating identity encryption keys and rotating data encryption keys as easy as

find -- "$(git rev-parse --show-toplevel)" \
  -type d -name .git -prune -o \
  -type f \( -name '*.sops.*' \! -name .sops.yaml \) \
  -print \
  -exec sops updatekeys --yes -- {} \; \
  -exec sops --in-place --rotate -- {} \;

manselmi avatar Jun 04 '24 21:06 manselmi

I'd also be interested in this, it seems like something SOPS should be able to do since it already has the information about what files are managed with SOPS. It's a common use-case on larger projects with changing development teams.

johncoopertr avatar Nov 11 '25 19:11 johncoopertr

Something like this works for me:

grep -ilrZ sops * | xargs -0 -r -n1 sops updatekeys --yes

Maybe I'm missing something (pretty new to SOPS) but couldn't we use the metadata in the files managed by SOPS to "discover" them? And not rely on any file patterns or regex?

johncoopertr avatar Nov 11 '25 19:11 johncoopertr

I was totally flabbergasted to finde that sops updatekeys has no way to figure out which files to update - given we have all the path_regex in the .sops.yaml anyway. Sure we could write a cumbersome script that extracts the path_regex and uses them to find the files and then call sops updatekeys on them ... but ... that feels pretty awkward.

Seems like @johncoopertr contributed this functionality in this PR

👍

Really hope this gets accepted.

tcurdt avatar Nov 27 '25 21:11 tcurdt