sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Support using comments to select parts to encrypt

Open felixfontein opened this issue 1 year ago • 3 comments

This PR adds support to annotate comments with a string (e.g., sops:enc) which can then be matched with a regex. If it matches, the corresponding value (the one which follows the comment) is encrypted while other values are not. (There is also the opposite regex available, to select those values which should not be encrypted.)

This enables the YAML file to have the same structure encrypted and decrypted, without having to add suffixes or manage complex regexes to match keys. See #543 for more discussion.

~~(This PR currently contains #1389 and will be rebased once that's merged. It is a lot more likely that #1389 will be merged before this PR or any of its variants, so I decided to use that one as a basis.)~~

This PR continues the work of #974 by rebasing #974 upon #1389 and adding some final touches (see https://github.com/getsops/sops/pull/974#issuecomment-1862766339).

Closes #974.

felixfontein avatar Dec 27 '23 16:12 felixfontein

@mitar I think the two comments I added address the issues from my review in https://github.com/getsops/sops/pull/974#pullrequestreview-1642951900. Can you take a look at the commits?

felixfontein avatar Dec 27 '23 17:12 felixfontein

Thanks. I think this looks good as it is already. Thank you for all the work. I made a small comment, but I think it is not critical to do it.

mitar avatar Jan 04 '24 12:01 mitar

Now that #1389 has been merged, this is ready for review! :tada:

felixfontein avatar Feb 06 '24 14:02 felixfontein

This looks good, any idea when this could be merged ?

Gui13 avatar Apr 07 '24 08:04 Gui13

It's currently waiting for further reviews / approval by maintainer(s).

felixfontein avatar Apr 07 '24 10:04 felixfontein

Is there anything to do to push this further?

mitar avatar May 13 '24 23:05 mitar

Like several other PRs, this is waiting for a review / approval from someone else in @getsops/maintainers.

felixfontein avatar Jun 02 '24 11:06 felixfontein

@mitar thank you very much for your contribution! I'm glad it finally got merged... Also thanks to everyone who helped reviewing and testing this!

felixfontein avatar Jun 27 '24 07:06 felixfontein

Thank you everyone who was involved into getting this in, and especially you @felixfontein for all the help getting it in.

How could I bring #1404 further?

mitar avatar Jun 27 '24 08:06 mitar

@felixfontein

thank you very much for this awesome feature!

two questions:

  • can you please add a simple example to the readme on how to use this new feature?
  • is it possible to invert the features behavior (encrypt by default and use a comment to keep the value unencrypted)?

c33s avatar Jun 27 '24 10:06 c33s

README does have some text about this here.

is it possible to invert the features behavior (encrypt by default and use a comment to keep the value unencrypted)?

Yes, you can use unencrypted-regex for that.

mitar avatar Jun 27 '24 10:06 mitar

i meant some examples for the config file like: .sops.yaml

- encrypted_regex: '.'
  unencrypted_comment_regex: 'keep_decrypted'
  path_regex: '*\.yaml$'

file.yaml

foo:
  # keep_decrypted
  bar: 1234
  password: will be enrcypted

oh in missed the --unencrypted-comment-regex. really awesome it can work both ways

c33s avatar Jun 27 '24 18:06 c33s