sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

MAC only over encrypted values

Open mitar opened this issue 2 years ago • 4 comments

Our use case is more that we have a YAML file with many settings, where only few of them have to be encrypted. We want to store that file in public open source git repository, so that everyone can see the configuration. The issue that sops require one to be able to decrypt the file to be able to edit it (and re-encrypt it, updating per-file MAC). That is great for some use cases, but in our case we would want external collaborators to be able to edit settings (at least the non-encrypted ones) and make PRs to change them, both the code and configuration (as code). E.g., somebody adds a new configuration option and also wants to add the value for that configuration option for our deployment. During PR review process those changes would be reviewed and if approved would be merged to the main branch.

I think this would work out if MAC would be stored together with encrypted value itself, per encrypted value (and path to it in YAML).

This might solve issues with merging others have reported, too: #52

I think the issue is that SOPS started with the design which had all values encrypted (where MAC per-file makes complete sense) and now added more features to enable only some values to be encrypted, which opens more use cases. For some (where both encrypted and non-encrypted settings have tight coupling and one does not want to open doors for somebody to change any of them) this is a great fit, but I am seeing that this is not always the case.

mitar avatar Dec 18 '21 17:12 mitar

I see that encrypted values are already encrypted using AES256 GCM, which is authenticated encryption, so it already includes kinda MAC.

Maybe the alternative could be to compute MAC only over encrypted values? This could improve things for collaboration while for editing of any encrypted value it would still be required to be able to decrypt all values (to compute MAC over them).

I see a use case where external collaborator might want to encrypt a value using the public key only and would be prevented from doing so because they cannot compute MAC over all files (lacking the private key), but I am not completely sure this use case makes much sense.

mitar avatar Dec 18 '21 18:12 mitar

I made PR: https://github.com/mozilla/sops/pull/973

mitar avatar Dec 18 '21 20:12 mitar

@mitar — I downloaded the GitHub artifact with this enhancement, but I can't get it to work. Can you provide an example on how to use it?

Edit: Nevermind, I was just doing it wrong.

byronmccollum avatar May 21 '22 00:05 byronmccollum

Glad that you made it work.

mitar avatar May 21 '22 11:05 mitar