sops
sops copied to clipboard
getsops
Add SSH support for age
This MR implements https://github.com/mozilla/sops/issues/692
I realize there is already a MR https://github.com/mozilla/sops/pull/898 but it implements the ssh encryption as a completely new method. I just patched the existing age module to also support ssh recipients and identities.
The behavior is the same as the original MR:
If there is no SOPS_AGE_SSH_PRIVATE_KEY env variable given, sops will check ~/.ssh/id_ed25519 and fallbacks to ~/.ssh/id_rsa.
Would love to hear some thoughts on this.
Thanks for submitting. Took it for a spin; works splendidly over here. Here's approximately what I used to test:
#!/bin/bash
# review https://github.com/mozilla/sops/pull/1134
set -euo pipefail
# Make tempdir for test
d="$(mktemp -d)"
cd "$d" || exit 1
ssh_pubkey="$(cat ~/.ssh/id_ed25519.pub)"
cat <<END > .sops.yaml
---
creation_rules:
- age: "$ssh_pubkey"
END
echo "Created sops config:"
cat .sops.yaml
cat <<END2 > example.yaml
---
foo: bar
END2
echo "Created vars file:"
cat example.yaml
sops -e -i example.yaml
echo "Encrypted vars file via ssh pubkey:"
cat example.yaml
echo "Attempting decryption of vars file:"
sops -d example.yaml
echo "SUCCESS!"
Tried it with a 4096-bit RSA key, and that worked fine, too. Would love to see this PR land.
Hi! I've found this PR, and it's what we waiting to permit us to uses SOPS. Is this PR is abandoned or we just need to wait again?
Thank you for your contribution! :avocado:
Due to the size of this PR, I have scheduled it for next-next minor. As we do not want to unleash a flood of issues do to newly introduced functionalities on us while we have just taken over the project. I'll come back to this once v3.8.0 has been released.
In the meantime, it would be helpful if you could rebase your work and sign-off your commits. Thanks! :bow:
Hi @hiddeco, thanks for the review! I will rebase, sign-off the commits and try to implement your suggestions! It might take a week or so, but I'm excited to get this feature done.
I hate to look like I'm trying rush this, but I'm really just very excited for this feature! 😅 So if I could just bump this...?
The behavior is the same as the original MR: If there is no
SOPS_AGE_SSH_PRIVATE_KEYenv variable given, sops will check~/.ssh/id_ed25519and fallbacks to~/.ssh/id_rsa.Would love to hear some thoughts on this.
Reasonable behavior. What was a bit confusing for me was just when I've set SOPS_AGE_SSH_PRIVATE_KEY=file.key it automatically assumed there is also a file.key.pub. I mean I did ssh-keygen -y -f file.key > file.key.pub then but this should not really be necessary (or this assumption should at least be documented).
I finally had some time to do this. I am no longer actively using sops at the moment, so if anyone else wants to take over from here, please feel free to use and modify my code as you wish.
I wrote a blog post on using sops with ssh keys and github, might be relevant to someone here. https://taras.glek.net/post/github-to-sops-lighter-weight-secret-management/
Hi @hiddeco , would it be possible to take a look at this PR once again? The PR has been created around 1.5 years ago and the original poster, after being asked to rebase it to the latest version of sops (and doing so), said that he's not actively using sops anymore. As a result, I think that the longer it takes for this PR to be merged, the harder it will be for it to be merged in the future, with every other commit not related to this PR potentially messing something somewhere.
Maybe it would make sense to merge this now and then work on any potential refactoring in future versions, so that we already have something that's working that we can use.
@overfl0 You can convert ssh-ed25519 key using ssh-to-age program ;)
https://github.com/Mic92/ssh-to-age/
This is a valuable feature - +1 - it would be great to see it merged and usable.
