sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Encrypting Files in Place via a Go API

Open ChrisJBurns opened this issue 2 years ago • 4 comments

Currently, as far as I'm aware there is no way of encrypting a file in-place using SOPS via Golang.

I'm essentially looking for an API to be exposed that does the equivalent of the following command: sops -age=age1ykphy2fuc0rmtewtpml69670s9dydkneum384tsj6z480lljmvqqx4kj8u --encrypt --encrypted-regex '^(data|stringData)$' --in-place secrets.yaml

The above command edits a secrets.yaml file in place which after encryption will contain the following:

apiVersion: v1
kind: Secret
metadata:
    name: keys-keys
    namespace: flux-system
type: kubernetes.io/tls
data:
    tls.crt: ENC[AES256_GCM,data:KGPw+zpAKHDA+Yh44pNhLexMgvY5HYXIx0mteQiz3JapMlfB9Cc2iDx47gnrLrAFJoE2s2OPza8S3RhlOP4Cv23KFhp1T4n7Dd0vIf83zWQmP5Hau4oM8AX8+B280ysl5HXFKx6w+PwNTwHE+xp7ssHvuW3NCBbNIg/re/1axQaShENxsWv+g0ivJuyAr4hag3O+rW2TP0ZG5Djc6KkTdUc6qd6JBE3QLzzfCXA+kb+bAnSxHr74hYIBeXprlFPCFJbmxsAetg/oczW6a8fU73FTAjGwBFaGw5o+Q+q+dWawLA0MKYGeUqejQTGghwVAgux1mCrUGjDBd6VMh+S2Ss593UBVjAjP22HnTA/oFJUlawkfEdseBUCw2vAeki4qfpTBeAQRJfHpWZzEcafPuHLM3xIXDiEanOiE1482FP8qmqZ7bp3jX3aK9KfFo677+ychmg==,iv:oZaz5X5TxgDWrN4g9j1WW2k4NJ+5YfUeqFIUkThsnuM=,tag:YvBR12Gsh9C6GFClOn8xqw==,type:str]
    tls.key: ENC[AES256_GCM,data:QiZRPx6eUpDSpgG4zNvEzWiFfAm+FeOZmNu4gcEHjnXdB0Pa9fNo+ZKhq0XDff2nYODDlQT3I4Cl+peDCUeBqJcAReRINupc7IA2DQRU7qkQfu42ZQbcrEQ/eqGBDRIHNrhDthc1Sg8uHPqJsSmPIiwpiD2FHh4tPxDUAbqupYin6O+FLR9LgdF5anWmRqO6z5JGQ3T+suH9JJ4/CfzmkIXS85s43XkRS39uM9r+bKBhgLxWHCxiUsZLnq4JAgOl/87cvrtMb1MrCvuGi9kWsGi30GgYTbfKub0ylb+hb0FbUWsRwSy1HuCaEMLw2vj9KYqMsrTGe7ECso9O4wAinErandI1nT4L6FVb6MaWe1t9vghqqfa46/wSxEpBKH+gE3uBu1KR7g4a2868ziOgpwjq3ETcLco/w3czrfCPbKULEDR3Vg6qa0kEdfhlaGa0XK0xT9kHbq6BGa60RqXEUOdNyOGRWE4Zi1lT71WWnCunNNLlp6dU3JKIiKO3kdlfC3j/Rzvn71HwMItv+rcNShW/ajeIuJpxHd7DI7/XZpkhrhktodTLeLvgDV7dHJC05ZNzb39g5moOkVavMERlMb6RAs/UQGY96wSvsV6SYPbuBJYMnnoVuYvPtsDisrLyQaEq2zSL03l9xwKhxCTWhg==,iv:ENjiDPZ7Myv1c/y4vPh2Lu/FEUqXoS5iCO4LUkHxqt4=,tag:OLMlo++6cvkqCNWxMvIzoQ==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1ykphy2fuc0rmtewtpml69670s9dydkneum384tsj6z480lljmvqqx4kj8u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Y3d5OXpWa0l5MWlvTzNp
            TkZsemFqa0d6QWxqLzk4R3lFZ00xNG5GOHdRCmg4cEVKaVBXaWYvMVpFcVRiMWRW
            bWJhYWZDWmZsNmJQd1gwdllMRUhoNlEKLS0tIFlRZ0ZQR3dxeTFsekhMSlIvOFdY
            WDZrZG9pWUZibFVmczFIMDhlYkhsUFEKDq0+SemlbsxqbXlph15Z2DmEn8s6C+y6
            l6xRX1nBzY0nE7KF8dLfJmPLv8PgdIZbumOmR6ZJzys/thfoxQ4lmA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-07-23T21:31:04Z"
    mac: ENC[AES256_GCM,data:SVf2CZIThnbuVboT/HZWBcVkaAJePOcyFM3nJGW62CtAkVtnBVjAUelYrCXjOgkaKHrx5lY1ozBy+0Ybo1MohkIBQlNgiA8nq5vQ4eh60k7m1MFZsUBBRJJCCNdOY96UYTM8W3HmZxBRjhaAd4pfWUQfTA3YQG+JZehS+o785PY=,iv:LNTs0DiuByuDhmZwIAVVXzit2trzJErOcmq5CYme8yU=,tag:YORiRZ+EyVMe3BJTqdYN9Q==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.1

Is it possible for something like this to be exposed via an API?

Something like the following (although I may be way off with the internals of how some of the methods work, but I hope it paints a good picture of what I'm looking for)

identity, err := age.GenerateX25519Identity()
if err != nil {
fmt.Println(err)
return
}

pubAgeKey := identity.Recipient().String()

fileContent, _ := ioutil.ReadFile("secrets.yaml")
branches, _ := (&yaml.Store{}).LoadPlainFile(fileContent)
tree := sops.Tree{Branches: branches}

tree.Metadata.EncryptedRegex = "^(data|stringData)$"
tree.Metadata.InPlace = true
r, err := tree.Encrypt(pubAgeKey, aes.NewCipher())
if err != nil {
panic(err)
}

ChrisJBurns avatar Jul 23 '22 21:07 ChrisJBurns

Hi, even am looking for a way to programmatically do all the stuff that can be done via sops cli. Do we have any references for golang examples which showcase this ability?

Thanks

saadansari93 avatar Nov 17 '22 19:11 saadansari93

I'm not entirely positive that there is a way of programmatically doing the same in Go as a sops -e -i file.yaml without actually using the sops binary itself and calling it in the Go code.

ChrisJBurns avatar Dec 08 '22 19:12 ChrisJBurns

after some digging through the source, this is an example to perform encryption in place using go, hope it helps whoever come across this in the future

main.go


import (
	"fmt"

	"filippo.io/age"
	"github.com/getsops/sops/v3"
	"github.com/getsops/sops/v3/aes"
	keysource "github.com/getsops/sops/v3/age"
	"github.com/getsops/sops/v3/cmd/sops/common"
	"github.com/getsops/sops/v3/keys"
	"github.com/getsops/sops/v3/keyservice"
	"github.com/getsops/sops/v3/stores/json"
)

func main() {
	identity, err := age.GenerateX25519Identity()
	if err != nil {
		panic(err)
	}
	fmt.Println(identity.String())
	fmt.Println(identity.Recipient().String())
	if err != nil {
		panic(err)
	}
	store := json.Store{}
	branches, err := store.LoadPlainFile([]byte(`{"foo": "bar"}`))
	if err != nil {
		panic(err)
	}
	fmt.Println(branches)
	masterKey, err := keysource.MasterKeyFromRecipient(identity.Recipient().String())
	if err != nil {
		panic(err)
	}
	tree := sops.Tree{
		Branches: branches,
		Metadata: sops.Metadata{
			KeyGroups: []sops.KeyGroup{
				[]keys.MasterKey{masterKey},
			},
			UnencryptedSuffix: "_unencrypted",
		},
	}

	dataKey, errs := tree.GenerateDataKeyWithKeyServices(
		[]keyservice.KeyServiceClient{keyservice.NewLocalClient()},
	)
	if errs != nil {
		panic(errs)
	}
	common.EncryptTree(common.EncryptTreeOpts{
		DataKey: dataKey,
		Tree:    &tree,
		Cipher:  aes.NewCipher(),
	})
	result, err := store.EmitEncryptedFile(tree)
	if err != nil {
		panic(err)
	}
	fmt.Print(string(result))
}

0xinterface avatar Feb 02 '24 06:02 0xinterface