sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Add support for Age SSH

Open iamd3vil opened this issue 4 years ago • 5 comments

Currently sops only supports age with age keys. This PR adds support for using SSH keys for encryption, decryption using age.

Usage

Encryption

./sops --ssh /home/user/.ssh/id_ed25519.pub -e -i secrets.yaml

--ssh flag here denotes the ssh keys for encrypting.

Decryption

./sops -d enc.json

If there is no SOPS_AGE_SSH_PRIVATE_KEY env variable given, sops will check ~/.ssh/id_ed25519 and fallbacks to ~/.ssh/id_rsa.

Let me know if I need to do any changes.

P.S: I have updated to the latest version as well.

iamd3vil avatar Jul 01 '21 17:07 iamd3vil

Any news on this PR?

itscaro avatar Dec 06 '21 15:12 itscaro

This fixes #692 and would allow a really streamlined process combined with gitops tools like argocd or flux.

hikhvar avatar Jan 25 '22 08:01 hikhvar

GitOps tool maintainer here (Flux). Thanks a lot for this contribution, I have no doubt this will be extremely useful to quite some users. :1st_place_medal:

I have assigned this to myself to review, but am waiting for #1064 to land first as I have a gut feeling it would be better to merge the two key source into one than to introduce an additional one. For this, I need a clear view on the state of develop post-merge in combination with this PR. Please hold for a tiny bit longer :bow:

hiddeco avatar Jun 02 '22 21:06 hiddeco

@hiddeco #1064 is now merged, is there some way we could help to merge this current PR as well ?

saimonn avatar Jun 21 '22 08:06 saimonn

Sorry for the wait folks, this has been on my to-do list for some time but #1072 and #1085 had a bit more priority.

Based on a quick study of the current key source implementation in develop and age itself, I am wondering if the current age.X25519Recipient in this implementation could be replaced with a more generic age.Recipient. We could then load decryption keys (identities) from all known files (either X25519 or SSH), and re-use most logic already there with some minor changes to deal with different receiver string types. WDYT?

hiddeco avatar Jul 06 '22 18:07 hiddeco

Hello @hiddeco! Any news about the review?

Sebor avatar Nov 13 '22 20:11 Sebor

Would also love to have this. Perhaps there is somebody else who can pick up the review?

neongreen avatar Aug 05 '23 00:08 neongreen

Or should it be closed in favor of https://github.com/getsops/sops/pull/1134? @hiddeco

neongreen avatar Aug 05 '23 00:08 neongreen

While I really do appreciate your work here @iamd3vil, I am going to close this in favor of #1134 which incorporates the feedback I gave in https://github.com/getsops/sops/pull/898#issuecomment-1176522057. Thank you very much nonetheless! :bow:

hiddeco avatar Oct 11 '23 19:10 hiddeco