Securing DevOps Show & Tell: Mozilla Sops

Рет қаралды 58,760

Күн бұрын

This episode is an introduction to Mozilla Sops (github.com/moz..., the secrets management tools used by the Firefox Operations teams to handle infrastructure credentials.
Sops was created in 2015 and has grown into a widely used tool both inside and outside Mozilla. We walk through initial setup using PGP, discuss the internal structure of Sops encrypted files and why they play well with git, then explain how to use AWS KMS and GCP KMS, then show how to automate creation rules in a config file.
01:47 A bit of history
03:33 Using Sops with PGP
04:57 Internal structure of Sops encrypted files
07:05 Meaningful git diff
10:03 The bootstrapping of trust
12:54 Usage with AWS KMS
16:40 Usage with GCP KMS
19:34 Automating creation rules with .sops.yaml
25:17 Some closing thoughts

Пікірлер: 23

@VikingMan44 2 жыл бұрын

Very useful. My architect is asking me to create the secrets for my application. He told me to use a tool called sops. Thank you for helping me understand what it is for and how it works.

@patricknelson 4 жыл бұрын

This really is an excellent introduction! Thanks for “taking the edge off” to make it so much more approachable. I’m considering it for Kubernetes, so the article from Frederic Hemberger was super helpful too; I’m glad you ended with that. 😊

@MehdiHacks 5 жыл бұрын

At 08:59 you say "Message Access Control" for MAC. Isn't it "Message authentication code" or I'm missing something here?

@code_flair Ай бұрын

Very insightful video tutorial for handling secrets 👏

@VasyChristmas 3 ай бұрын

Very useful guide. Can sops encrypt .env file values? Case: My containers work with environment variables, I need to encrypt them in .env file and pass them through container in decrypted state when container initializes.

@lkr_master Жыл бұрын

Do you have more videos planned for SOPS?

@lgrullon854 3 ай бұрын

This is very useful explanation video, thank you

@tainoroyal6585 5 жыл бұрын

Thanks for taking the time to explain this

@theoliverbarnes 5 жыл бұрын

I think this might be the blog post that 404s on the video: frederic-hemberger.de/articles/manage-kubernetes-secrets-with-sops/

@nicolasafonso8916 5 жыл бұрын

Quite a good introductory video.

@alex.khalilov Жыл бұрын

Thank you, so cool explanation.

@eliascoleiii5173 3 жыл бұрын

Very accessible, thank you!

@joemalone8685 2 жыл бұрын

Could you clarify where the foo:bar actually comes into play in the process? Specifically, what role does foo play?

@TheMattSturgeon Жыл бұрын

foo, bar and baz are conventional example names used in software. In his example "foo" was a "key", aka the name of some item, while "bar" was the item to be encrypted.

@lokeshjain3425 5 жыл бұрын

Great Video. I have one query though. How do I make my PGP key available for SOPS encryption/decryption every time I build my docker image?I can't include it in the docker file or as part of ENV variables. That defeats the whole purpose. where do I store keep my pgp keys?

@okjacob 5 жыл бұрын

docker has a new flag called `secrets` github.com/moby/moby/issues/13490 medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066

@salembeats 2 жыл бұрын

The PGP method is intended for simple personal use on your own machine, or for last-ditch backup. It’s not really intended for more involved scenarios with VMs, CI, and so on. There may be a good direct answer to your immediate question, but I think the better answer to the more general question is: Use a method other than PGP as your primary intended method.