sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

do not encrypt comments

Open dudicoco opened this issue 4 years ago • 13 comments
trafficstars

Hi,

SOPS is encrypting comments within the file, is there a way to preserve the comments without encrypting them?

Thanks

dudicoco avatar Aug 23 '21 10:08 dudicoco

Doesn't seem to be possible. Whatever I pass to --unencrypted-regex, comments are encrypted anyway.

ChristianCiach avatar Jan 17 '22 15:01 ChristianCiach

The opposite seems to work:

--encrypted-regex '.'

This encrypts everything except for comments.

This doesn't feel very clean and I think it only works by accident. I expect this to break at any time.

ChristianCiach avatar Jan 17 '22 15:01 ChristianCiach

Thanks for the tip @ChristianCiach

dudicoco avatar Jan 17 '22 16:01 dudicoco

... it's common for engineers to "comment out" secrets in YAML files, ...

@autrilla https://github.com/mozilla/sops/issues/229#issue-250379117

the thought is noble and valid but also keeping comments in an encrypted file unencrypted is a valid usecase. please add an explicit flag/setting for keeping comments unencrypted.

c33s avatar Apr 03 '23 17:04 c33s

While "ugly" maybe it would be possible to implement something similar to the _unencrypted suffix for comment to allow users to directly specify what comments should be unencrypted while defaulting to forcing all to be encrypted for better security.

Possible unencrypted comment values would need to start with # _unencrypted_

# _unencrypted_ This is my real comment string
# _unencrypted_  this continues my comment on another line

smbambling avatar Aug 23 '23 13:08 smbambling

I don't know whether some things work when using the CLI options, but as I need to pre-configure things via .sops.yaml files, none of these options work:

  • by @smbambling : unencrypted_suffix: "_unencrypted"
  • by @ChristianCiach : encrypted_regex: "."

So, having an option to generally control this would be really helpful, since we're doing GitOps and NOT saving secrets inside comments.

And even if it might happen at some point, we'll immediately rotate/replace the secret upon detection.

enote-kane avatar Sep 22 '23 17:09 enote-kane

It'd be really great to be able to have a way to avoid encrypting comments, as there are cases where it's extremely inconvenient to have to decrypt a file to get at the data in a comment (particularly "this secret expires at this timestamp" type of comments, which seem like a pretty solid use-case).

shanemadden avatar Nov 09 '23 00:11 shanemadden

While I like that comments are encrypted by default it will be great to have an option to leave specific comment unencrypted as @smbambling suggested.

haizaar avatar Nov 15 '23 05:11 haizaar

Adding to this, we use the comments to indicate why data exists in the encrypted file, so would be nice to have a type of comment that is unencrypted similar to _unencrypted_values

kzap avatar Jan 23 '24 17:01 kzap

This feature would be very valuable, comments may include lot of useful info that should be readable without decrypting the file (e.g. while looking at it in github). Will you consider to implement this?

fabn avatar Aug 17 '24 14:08 fabn