Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

Рет қаралды 42,004

Күн бұрын

Committing secrets to your Git Repo can expose information like passwords, access tokens, and other types of sensitive information. Some might think that committing secrets to a private Git Repo is OK, but I am here to tell you it's not. If you're going to commit secrets to a git repo, private or public, you should encrypt them first using Mozilla SOPS (Secret Operations) and AGE. SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. Age is a simple, modern and secure file encryption tool, format, and built using Go. It can encrypt and decrypt your files making then safe enough to commit to your Git repos!
Video Notes: technotim.live/posts/secret-e...
A HUGE thanks to Datree for sponsoring this video!
Combat misconfigurations. Empower engineers.
www.datree.io
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a KZbin member: / @technotim
Merch Shop: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
2nd channel: / @technotimtalks
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - Are Private repos safe to commit secrets?
01:02 - What is Mozilla Sops and Age
01:58 - Ad: Datree - Prevent Kubernetes Misconfigurations
03:18 - Getting Started with SOPS
04:26 - Getting Started with Age Encryption
05:32 - Creating an Encryption Key Pair
07:43 - Encrypting and Decrypting YAML (.yml / .yaml)
12:59 - Encrypting and Decrypting Kubernetes Secrets
14:35 - VSCode SOPS Extension
17:05 - Encrypting and Decrypting ENV (dotenv / .env)
19:35 - Encrypting and Decrypting JSON (.json)
20:54 - Encrypting and Decrypting INI (.ini)
22:14 - Encrypting and Decrypting ANY File
24:01 - I Love Encrypting Now That I Know How!
24:39 - Stream Highlight - "105 Days of HomeLab"
Music By Harris Heller
l.technotim.live/sb-music-lic...
Some video clips are licensed under Creative Commons license.
Videos clips are from Yaroslav Shuraev, Mikhail Nilov, Matthew Lee Moore, KoolShooters, Tima Miroshnichenko
Thank you for watching!

Пікірлер: 97

@TechnoTim Жыл бұрын

How do you store your secrets?

@canoozie Жыл бұрын

Safely. 😉

@squalazzo Жыл бұрын

in plain sight! SOPSed on git :D

@notafbihoneypot8487 Жыл бұрын

Paper in a vault

@cheebadigga4092 Жыл бұрын

private Git repo in my own private GitLab instance, unencrypted xD but if I would encrypt secrets, I'd use Bitnami's Sealed Secrets I guess

@PeterLunderbye Жыл бұрын

Vault

@dudicohen3743 10 ай бұрын

A couple words of advice for further securing your secrets: 1. You need a safeguard mechanism to verify that an unencrypted file is not committed to the repo 2. VSCode extensions can be a security threat - the marketplace doesn't really validate the extensions and it allows duplicate names for extensions which allows impersonating a known extension. A scenario could occur where the extension decrypts the secrets and sends them over the net to an attacker.

@TikariChess Жыл бұрын

This couldn't have been timed better. Having worked through a number of your other video walkthroughs, I had built up a codebase I didn't want to risk losing, but knew I couldn't commit yet because of the secrets throughout. I'd set aside this weekend to fix that problem and was looking at SOPS to do so. Thanks for being psychic (and helpful)!

@TechnoTim Жыл бұрын

Great to hear! It’s really easy once you understand! Hopefully this helps!

@levybuildz Жыл бұрын

Thanks for pmo, and will try this out! I’ve only discovered your channel a little bit ago but after checking out a lot of your vids, I really want to say I love your content. Concise, technical, and fun (for me at least😅). It’s nice to see content creators I can resonate with.

@mauridocarmo7167 Жыл бұрын

I already knew about SOPS but this VSCode extension is awesome

@90DaysOfDevOps Жыл бұрын

This is very topical and I will absolutely want to cover this again and in the next version of 90DaysOfDevOps

@f.5528 Жыл бұрын

I use intellij and there is also a plugin for it. You video saved me a lot of time, thank you :)

@TimSumpton Жыл бұрын

This is a big uplift in security maturity. Brilliant tutorial!

@Spuny4 11 ай бұрын

Pitty that you don't show the flux extension, it's not that complicated, maybe in next video? 😉 Thumbs up for the vscode extension, works nicely. Btw you can have sops config file in the folder with publickey and regex so that you don't have to type all that in the command, simple sops -e will do. Thanks for the video and maybe think in the next one on key retention too, should be interesting topic to cover.

@ThePC_Geek Жыл бұрын

excellent video!! You could even make all those many commands into either a group of shell scripts, or aliases for simplicity in ease of having to go find it for copy paste when needed...if you chose to use the CLI method over a vscode extension.

@TechnoTim Жыл бұрын

Thanks! For sure! An alias would keep these nice and tidy!

@WHAT-GRINDS-MY-GEARS Жыл бұрын

Love your show. It is easier to consume your content when you switch between you, full-screen and the code you are demonstrating. The mini you in the video actually is a little distracting. I don't make videos yet. but creator to creator. I write blogs and code. Your videos are nice and complete. Not ever left hanging to make a big brain moment happen.

@TechnoTim Жыл бұрын

Thanks for the feedback!

@benargee Жыл бұрын

Perhaps a compromise is to only show the "mini Tim" when he would normally cut to himself and hide the "mini Time" when the code/etc on screen needs to be seen. Moving from full screen face to code can be jarring at times.

@koevoet7288 Жыл бұрын

Can you do a tutorial on ovs in proxmox?

@parv8131 Жыл бұрын

Can you create a video describing the high availability of Home Assistant? or any other fix if the home server breaks

@Pariah902 Жыл бұрын

Why should PGP/GPG be deprecated for file encryption? Awesome video as usual

@es3t Жыл бұрын

Oh you don't know why? They are hard to maintain, generate and so on. Age is simple and faster.

11 ай бұрын

@@es3t But that doesn't make PGP deprecated

@hsteckylf Ай бұрын

"If you have one problem and you solve it with regex, now you have two problems." Bwahahah!! Love it. I love regex, but yeah.

@ECOM-EXPLORER Жыл бұрын

I understand how it works locally, but when we are have to add the secret in kubernets, how do we add .sops.yaml file which has a kms key to kubernetes. is sops supported only by flux or it is supported by argo as well?

@kriansa Жыл бұрын

Why is GPG deprecated? I couldn't find any info regarding that on SOPS repo

@lfnkf Жыл бұрын

Thanks for sharing all the details, exactly what I was looking for. Seems the signageos is working fine now (official version). You can also create a .sopsrc on your project with some config

@TechnoTim Жыл бұрын

Thanks! I've had issues with it lately, need to check out the non beta!

@PierricDescamps Жыл бұрын

Ansible vault , since I deploy my containers from ansible.

@comp20B Жыл бұрын

Philosophical question. If a complex username matches (equivalent to) a public key and a private key matches (equivalent to) an equivalent complex password How are these things different? Why is a key-pair better?

@ousmanediallo5961 7 ай бұрын

Thank you.

@TechnoTim 7 ай бұрын

You're welcome!

@iamshahleo Жыл бұрын

Life saver video

@L3st86 18 күн бұрын

It is also a good idea to implement a small cli that automatically takes your .yaml from the secret and encrypts it and puts it in the desired 'secrets' folder... and flux do the magic!

@SpadeQc123 Жыл бұрын

Interesting software! I’ve been using git-secret for a while, time for a change? 🤔

@haxwithaxe Жыл бұрын

You mentioned gpg being deprecated. Did you mean with a particular tool or in general?

@fafardh Жыл бұрын

@@Darkk6969 This is the first time I'm hearing of this. Can you elaborate on the issue or provide source for me to read up on this on my own? I'm really curious about his.

@squalazzo Жыл бұрын

@TechnoTim Hi, what about a video on Alex Ellis' Arkade? It's a "tool to install tools", like kubectl, helm, flux, and even sops...

@squalazzo Жыл бұрын

at work we use, for the same things, ASDF, which has lots of more options, but for k8s stuff, Arkade is just fine... why use asdf? For consistency and repeatability, you can get a specific version of a tool, so you don't get version skew between k8s server version and kubectl cli util. for example...

@bladrbrettel6511 Жыл бұрын

so for a personnal way to encrypt secrets it's great How would you use it for a team ? with PGP I just add the public key of my team in the tool and encrypt it with all the public key of my team so they can decrypt it (may be I don't need, but that's the way they told me to do... need some test now that I'm thinking about it)

@Timichaud Жыл бұрын

hey thats Jeff on the background TV 😜

@TechnoTim Жыл бұрын

Hopefully Jeff doesn't send an invoice for using his material ;)

@Timichaud Жыл бұрын

@@TechnoTim 😂😂😂😂😂

@Timichaud Жыл бұрын

@@TechnoTim send him a a good beer and nothing happened 😂 cheers to both of you! We love you

@n0madfernan257 Жыл бұрын

i currently use an encrypted folder in some of my cloud folders. i do hope that the encryption let the bad guys get some delay a little bit

@encryptionforbeginners96 Жыл бұрын

It depends on the tool you are using. It also depends on your password.

@es3t Жыл бұрын

Wrong in 14:12. When decrypting it's already looking for SOPS_AGE_KEY_FILE variable to look for private key so you don't need to pass like that --age $(....)

@jaisalahmadullah9735 Жыл бұрын

Can you do this on unraid?

@farzadmf Жыл бұрын

But I guess all these operations depend on the private key to be there, so if, say, we want to do it in CI, we need to copy that private key to there as well. I wish you touched on that topic as well

@TechnoTim Жыл бұрын

Yeah, you’ll have to save the private key in a secret there and run these commands to update the files on disk. If you’re using gitops with flux, you can have a controller do it for you. Maybe a future video?

@farzadmf Жыл бұрын

Nice, looking forward to it 🙂

@b14ckh4wk3 10 ай бұрын

i do commit them since i do trust my team ))

@sachasmart7139 Жыл бұрын

Craft computing in the background 👏

@jaygreentree4394 Жыл бұрын

I refuse to put passwords/recovery info on any device.

@JacobDanielson Жыл бұрын

16:10 Octothorpe!

@TechnoTim Жыл бұрын

I've heard pound and hashtag but this I have never heard of!

@tabascocrimson7865 Жыл бұрын

And again... you publish a video about a topic I started looking at 2 weeks ago...

@TechnoTim Жыл бұрын

Hopefully still relevant!

@tabascocrimson7865 Жыл бұрын

@@TechnoTim I watched but didn't try yet, maybe it's better. I use ecryptfs for now..

@DrSarez Жыл бұрын

Mozilla SOPS seems to be a dying project. They currently have no active maintainer but lot's of CVEs :(

@MrRenoNg 10 ай бұрын

it's been revived! by CNCF

@DrSarez 10 ай бұрын

@@MrRenoNg cool, thanks for the information

@user-ty3iy8bk2l 6 ай бұрын

1st step to privacy and security => Avoid VSCode.

@DavidConnerCodeaholic Жыл бұрын

I just keep my secrets in the p-trap

@artembaguinski9683 Жыл бұрын

This method doesn't help against a laptop being compromised since the decryption key is on the laptop.

@TechnoTim Жыл бұрын

Agreed, but that can be said about most developer environments :). Hopefully you would have full disk encryption turned on, a strong password for signing in, remote wipe capabilities, and quick response to reset your key in your cluster :)

@matthiashavrez Жыл бұрын

The bottom line of your screen has serious Windows XP vibes

@geoDunkleAura Жыл бұрын

So, finally i downloaded the youtube video, removed a lot of the bass aka "boomyness" and render now the video that i can watch it later via plex. But i am sure i will enjoy the video in 10 minutes. :D

@Franchyze923 Жыл бұрын

First!

@yonggan1380 Жыл бұрын

Please show with flux 😊

@gorgonbert Жыл бұрын

Hey… sorry… there‘s a sound in the background that‘s rather annoying. It’s like a loud ticking from a wall clock. Once I heard t I couldn’t unhear it 😵‍💫

@TechnoTim Жыл бұрын

That noise you're hearing is called music ;)

@gorgonbert Жыл бұрын

@@TechnoTim ok… thanks… it’s just… i have this weird thing that noises like that distract me. Sometimes it‘s so bad that I can‘t concentrate at all on what’s been said. Like in a meeting when there’s a noisy clock on the wall, I have to take it out of the room… I guess it‘s a weird neurodivergent thing of sorts… like asperger’s or something, don‘t really know…

@TechnoTim Жыл бұрын

All good! Thank you for the feedback! If one person says something that usually means 100 others thought the same thing but didn't say anything! You can hear it better with headphones but anyway, thank you for saying something!

@viallymboma9874 Жыл бұрын

the Jonny Depth of technology...😎😎

@wmchristie Жыл бұрын

…barely an inconvenience.

@Im_Ninooo Жыл бұрын

no, sorry, I REFUSE to call age "aghe".

@ejbully Жыл бұрын

Something happen to openpgp ? Edit : it's cool and understandable why it's needed. But if openpgp ain't broken - not going to replace it at all 🤨 Edit : it's just an awk re write... 🙄🙄 Gotta admit that's fly

@ejbully Жыл бұрын

This is so going to be misused... New ransomware for sure

@kronst Жыл бұрын

This tool looks pretty cool. But if we're talking about encrypting kubernetes secrets, I prefer to use SealedSecrets. For me it's easier to use it rather than SOPS 🤷‍♂ Anyway, thanks for your videos, Tim!

@TechnoTim Жыл бұрын

Another great option! Hopefully this makes understanding SOPS easier! I like how portable it is, not just for Kubernetes.

@JobStoit Жыл бұрын

I use bitnami-labs/sealed-secrets, it's simple and easy to use with simply piping your .yaml files or creating a secret with a dry-run and output yaml into it.