sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Remove key:value line from encrypted sops file by using `sops --set` command

Open k0chan opened this issue 1 year ago • 2 comments

Hello,

I need to remove a specific line from a encrypted sops file by using sops --set flag. I need to do this in my GitLab CI Pipeline so I have to use the --set flag. For instance, I want to remove the foo key line.

Example Input

foo: ENC[AES256_GCM,data:Z2mF,iv:zMff0j08IVYjTZl84rOgauC1IG8xcwJ3vGBufZ9kal4=,tag:IgI5Js0BIJ+a2TMwmpDAmw==,type:str]                                                                                         
ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]                                                                                     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T07:14:47Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

What I've tried

sops --gcp-kms "KMS_RESOURCE_ID" --set '["foo"] ""' file.enc.yaml

But I got

foo: ""
ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T07:59:13Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

What I expected

ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T08:10:43Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

Is it even possible? Thanks for advance!

k0chan avatar Sep 27 '23 08:09 k0chan

would also like to know if this is possible.

mfld avatar Nov 08 '23 12:11 mfld

This isn't possible. --set sets a value, not removes it. We can add another way to remove values, but that would be a separate command.

(I think it makes sense to add this as a proper subcommand, instead of adding yet another option-style command; see #1333 / #1343.)

felixfontein avatar Nov 12 '23 14:11 felixfontein

I find this functionality useful. When you have all your secrets as code and an automated process is responsible for adding and removing new secrets, it can be difficult to maintain traceability when a new secret is deleted. This is because the entire file needs to be re-encrypted, and it is complex to maintain traceability in a git diff.

fabidick22 avatar Apr 12 '24 17:04 fabidick22

There is a PR for that currently: #1475

felixfontein avatar Apr 13 '24 11:04 felixfontein