sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Sops EDIT function DOESN'T take latest configuration, was always using original configuration

Open Neal910 opened this issue 9 months ago • 5 comments

Background

We are changing the sops configuration for all our env vars saved in a project, but we don't want to re-encrypt all the files and commit them massively at once. Instead, we would like to ONLY change the sops configuration and leave all files as this for later operation. What I meant by later operation is that whenever people sops edit a file, then after editing we expect the sops will re-encrypt the file by using the new configuration. This way while people changing each file, we can gradually migrate all the env vars files with new configuration, this could potentially avoid everything change at once risk.

Issue

However current edit function doesn't take the configuration as a parameter, it will keep using the original config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1305, a non-existing file will trigger the new config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1328.

Does this make sense to always use latest config while doing the editing? Or is there any context I don't understand?

Neal910 avatar Mar 05 '25 20:03 Neal910

That has been the behavior for many, many years. Editing does not automatically add or remove keys, unless you explicitly tell sops to add/remove specific keys. If you want to update keys to the latest config, use the updatekeys subcommand.

felixfontein avatar Mar 05 '25 20:03 felixfontein

Thanks a lot for your reply.

However I am not updating the keys, but to change from unencrypted_regex to something like

encrypted_regex: '.*(PASSWORD|SECRET|CREDENTIAL|PRIVATE|KEY|AUTH|TOKEN|JWT).*'
mac_only_encrypted: true

I tried with updateKeys function, it seems not work with this scenario.

Neal910 avatar Mar 05 '25 21:03 Neal910

I don't think there's an update functionality for these kind of changes so far. updatekeys only takes care of encryption keys.

CC @getsops/maintainers. (Related: https://github.com/getsops/sops/issues/1610#issue-2519809220)

felixfontein avatar Mar 05 '25 21:03 felixfontein

@felixfontein I played with a forked sops for a little bit to add a update-all-configs flag on updateKeys and realized that even with this flag it's the sops configurations and keys got updated for each of the encryption files, we would still need to add more to get encryption content updated, that leads me think what I need should not be the responsibility of updateKeys.

So maybe I should build a script myself to loop through all the encryption files, get them decrypt and encrypt again with new configurations. Or you think that can be something that Sops can support.

Neal910 avatar Mar 06 '25 14:03 Neal910

I think sops should have a reencrypt -i subcommand that does exactly the following, but without writing the intermediate plaintext to disk:

sops decrypt -i <filepath>
sops encrypt -i <filepath>

haslersn avatar Mar 24 '25 12:03 haslersn