sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

[Feature] Support Tencent Cloud KMS

Open oleracea719 opened this issue 2 months ago • 1 comments

Feature Background

This PR adds support for Tencent Cloud Key Management Service (KMS) as a new key provider in SOPS. Tencent Cloud KMS is a secure, scalable key management service that helps users manage cryptographic keys, meet compliance requirements, and secure sensitive data .

With this addition, SOPS users can now leverage Tencent Cloud KMS for encrypting and decrypting their secrets alongside existing providers like AWS KMS, GCP KMS, Azure Key Vault, and HashiCorp Vault.

Implementation Details

New Files

  • Created tencentkms/keysource.go : Core implementation of the Tencent Cloud KMS integration
  • Created tencentkms/keysource_test.go : Unit tests for the Tencent Cloud KMS integration
  • Created tencentkms/keysource_integration_test.go : Integration tests for the Tencent Cloud KMS integration

Key Components

  1. MasterKey Implementation :

    • Implemented the MasterKey interface for Tencent Cloud KMS
    • Added core encryption/decryption logic using Tencent Cloud KMS API
    • Included proper error handling and key identification

  2. Configuration Support :

    • Added environment variables for authentication:
      • TENCENTCLOUD_SECRET_ID : Tencent Cloud API secret ID
      • TENCENTCLOUD_SECRET_KEY : Tencent Cloud API secret key
      • TENCENTCLOUD_REGION : Tencent Cloud region

Usage Example

below is my test case:

  1. encrypt and decrypt with one keyid in cli
./sops --encrypt --tencent-kms {kms key id} config.yaml > config.enc.yaml
./sops decrypt config.enc.yaml
  1. encrypt and decrypt with mutil keyid in cli
./sops --encrypt --tencent-kms {kms key id1},{kms key id 2} config.yaml > config.enc.yaml
./sops decrypt config.enc.yaml
  1. add and rm one key
./sops -r -i --rm-tencent-kms {kms key id} config.enc.yaml
./sops -r -i --add-tencent-kms {kms key id} config.enc.yaml
  1. encrypt and decrypt with mixed key, such as aws kms service.
./sops encrypt --tencent-kms {kms key id} --kms {aws kms key arn} config.yaml > config.enc.mixed.yaml
./sops --decrypt --kms {aws kms key arn}
./sops --decrypt --tencent-kms {kms key id} config.enc.mixed.yaml
  1. Using SOPS configuration:

set below file content in .sops.yaml

creation_rules:
  - path_regex: .*\.yaml$
    key_groups:
      - kms:
          - {aws kms key arn 1}
          - {aws kms key arn 2}
      - tencent_kms:
          - key_id: {kms key id 1}
          - key_id: {kms key id 2}
    shamir_secret_sharing_threshold: 2

then run below cmd

./sops encrypt config.yaml >config.enc.groups.yaml
./sops decrypt config.enc.groups.yaml
./sops groups add --tencent-kms {new kms key id } -i -f config.enc.groups.yaml
./sops updatekeys -y config.enc.groups.yaml
  1. keyservice test

in one shell with Tencent Cloud credential run sops service : sops keyservice --network unix --address /tmp/sops.sock --verbose

another shell run test cmd:

./sops --encrypt --tencent-kms {kms key id 1} --keyservice unix:///tmp/sops.sock  config.yaml 
./sops decrypt --keyservice unix:///tmp/sops.sock config.enc.yaml

@felixfontein , Could you pls take a look ? thank you.

oleracea719 avatar Oct 27 '25 09:10 oleracea719

Hi @hiddeco, @onedr0p, @devstein @gemtreasure , Could anyone give your review please?

oleracea719 avatar Oct 30 '25 08:10 oleracea719