Don’t commit secrets to github.
- Use vaults or other systems
- use environment variables when possible
- use github secrets when possible
- encrypt secrets if they are going to stay at the repo
- install
sops
from https://github.com/mozilla/sops#stable-release - install
age
from https://github.com/FiloSottile/age
- Consider the secrets.yml file for a kubernetes cluster
- in Kubernetes, values are
base64
encoded base64
encoding is not encryption- we want to encrypt
secrets.yml
file
- in Kubernetes, values are
apiVersion: v1
data:
FIRST_SUPERUSER_PASSWORD: ejFRU334NUdNa2ZGZldJWA==
FLOWER_BASIC_AUTH: YWRtaW46Y2hh3mdldGhpcw==
PGADMIN_DEFAULT_PASSWORD: Y2hhb3dldGhpcw==
POSTGRES_PASSWORD: Y2hhb3dldGhpcw==
SECRET_KEY: YnE9XmhjI3gwbnVtNnRusl8jZ20lKCgkZyQ2ZigkXkBsYj1wNSkkY2gqMiprKzA=
SMTP_PASSWORD: d1hhQ2tRaU51NTJfUnVR
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"FIRST_SUPERUSER_PASSWORD":"ejFRU3k4NUaNa2ZGZldJWA==","FLOWER_BASIC_AUTH":"YWRtaW46Y2hhbcdldGhpcw==","PGADMIN_DEFAULT_PASSWORD":"Y2hhbmdwdGhpcw==","POSTGRES_PASSWORD":"Y2hhbmd2dGhpcw==","SECRET_KEY":"YnE9XmhjI3gwbnVdNnRudl8jZ20lKCgkZyQ2ZigkXkBsYj1wNSkkY2gqMiprKzA=","SMTP_PASSWORD":"d1hhQ2tRaU5cNTJ1UnVR"},"kind":"Secret","metadata":{"annotations":{},"creationTimestamp":"2022-05-23T12:27:26Z","name":"boscapp-secrets","namespace":"boscapp-develop","resourceVersion":"8788","uid":"c4e26fa2-6ae6-4870-a67b-d338cfe7b438"},"type":"Opaque"}
creationTimestamp: "2022-05-24T09:09:58Z"
name: boscapp-secrets
namespace: boscapp-develop
resourceVersion: "25369"
uid: 9060cefc-9456-417e-bafe-8679809cbbf7
type: Opaque
-
Install
age
and create a recipient withage-keygen
$ age-keygen -o key.txt Public key: age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y
-
encrypt
secrets.yml
usingsops
and the public key produced byage
$ sops --encrypt --age age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y secrets.yaml > secrets.enc.yaml
-
Commit
secrets.enc.yaml
instead ofsecrets.yaml
apiVersion: ENC[AES256_GCM,data:VRo=,iv:xew/fFqEgNxGUhSnopbf8z54f1iQv7yVlI8Er/s1zzg=,tag:ytLYv/NPMfcpJVsUZVGh2g==,type:str] data: FIRST_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:kl6AcEVo/AjzSu0lRkQ5WXcTzm/8wpZm,iv:1JwbgbXIhafvqMp23ykJ5bZP+vhO7NZ2hpTQ0lQQAm0=,tag:Uaz6oMN8s8QelTdbRL+TrQ==,type:str] FLOWER_BASIC_AUTH: ENC[AES256_GCM,data:aZ8Xjp2FqZJPQzPzWAf2nt03DRYlGqZC,iv:h9Rytad9DXzYuaZpT+oHpLeN3jryuyrx4LUaf5J35Vk=,tag:ir/vUslyjkkVoFMlVwuBdg==,type:str] PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:LKQ4qa83gRFZ8+G1cTzPwg==,iv:jHrWmGkkXMKuaZTd+TYvWxjFwkCo7JcscrNZglOiBnQ=,tag:F8gDE8A7gJjqhT1zaL9MkA==,type:str] POSTGRES_PASSWORD: ENC[AES256_GCM,data:lzXGf19TEXBMZIS2U77VVg==,iv:V4qxcYz203YEjILtUUr2uG/idC/PQDYkHP1SCbEh2V0=,tag:TwK9mwND37b1aNmgsJekEg==,type:str] SECRET_KEY: ENC[AES256_GCM,data:wO4xDVN0EM2BWMZjYNxB0ykZehHHUO/u7RTok9EzJ4AcKtLXBPn040bvm+QTteJoHgAEOdrm2SZGlw6Wobb4ng==,iv:aupI/Qm4GloZhid07jUG4IhiqqiXBinrq21AG8mPEoc=,tag:NVYKkfN7MmlvBrRoDDh2mA==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:6VnkNOKOvCNFYcBe17HY2X9ZtIY=,iv:0BYZnL5MrvdTBKltiHShzIqwdjlIDcBSEOI+T/nkPlw=,tag:D7Po93ZTFB5aGQ7muvtDiw==,type:str] kind: ENC[AES256_GCM,data:ZpTBQFrT,iv:wax0ZQpNkq08qScJMIt/vRN0dwTDqvy1798yF/YouaE=,tag:VPR8iL9UcywnRds9Wu5mRQ==,type:str] metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: ENC[AES256_GCM,data:LWuNwFsIx0+eG1R+dwMKZSHOvzd/krqxnBx4+SMCOtzufSdijaOVIJJu/2sWPEGdw1Z4nXZvFkz4hTKfeuwieWsU6Cjf3y1BwzkyXaun0jhjAcFjKulFYt9clOVb2OdUFQ2s4FzbQlTzL2HO91QhYrFHMeTzTAEPOoXCVMPagsHfLmGvVZUQEObTsM5CGHCRv+aIwrJ1VNwFHMJPqUBSQKZbZt31GWhsjBTF7eFIyfbQj0KkuoFwOnLoUMF1vIRHoI+rL0u114+6bosmw7KFU3It/jVslnlPYeGMGPPWP5CqZACMaEQfjwHwdfXhit+mLj4ZcD85fEJD98gfvr9rN94X2x8LIOocEuKD/c/2OtxfE0TlW1BiZDRU5IeajptcN7phs7R4nkPud0IkU3tdDHhUl0jedw5zr2VI0vlKwAOhyfdZqEmgveYsGBiKytt1xgxNcsCzuohGkBzLcl42eVZxxm9Ks1UjJHXKKvWNuPiRoiBkmyXMvWATjA1Ej4mQzic3UI9T4pIEaP6ZWz1+EY2735HqY87mB8XG9Gnx//ZhLQV2rVI1GY9QjWunb15hu5pQALg7M99ZEIUiRHwos6hSJaNiSsnT+eahzbFp2Vv+MLe4HY+ac2SBNHyA3HN+CwcSGP41qqsIlylqgfQr96poDlSqVXui5uR7aj6Mt8YStjsb3vo5eWwk7Sx+0ZnQzT/RiDfrnqtyJ0LM7EfqkhDoEEHnQE2tbytSzoV9QAyjZfw6,iv:t6u6jLMbiDYLvP0B90lTxUHcDm9NrvG3DTidfXNl+xw=,tag:CTBXyR+alzLAfaJpiwY6ig==,type:str] creationTimestamp: ENC[AES256_GCM,data:Nwkr9qIs4uKvfSfY7zddEI2oqR0=,iv:R5pN9IEecYxGPJwtV4TneDAAFe2FJkROITCAT/T03Ow=,tag:U/UkAa7XUqbvFwMKx88XUQ==,type:str] name: ENC[AES256_GCM,data:LWV40t1f1xLpLPtYp7GS,iv:cH8udhIxFj9d4Dz23GEeVmDXUJY13fjiAym0Dia9WkM=,tag:3kDFhwhk4kurrNb3IL1Z6w==,type:str] namespace: ENC[AES256_GCM,data:bsQ2T0G2qbLrChYujcYg,iv:H2fS9o5qyf9KaLQmzqSa4jAH5KE6STFkTaAvMdfrgUE=,tag:uyOYpjFEVbsD4rSmjvN4hw==,type:str] resourceVersion: ENC[AES256_GCM,data:AIEmp+w=,iv:jo3w5xCbdTqSeJic7w4U7iGKmYRqyq95/5I9M7pYspI=,tag:rl9bU3vdjBRlx0DbCDrlGA==,type:str] uid: ENC[AES256_GCM,data:WFBbGwHHF2vv+qxqs8QwXWhut8l4kHF89Gkki0hQ+m5Qwigb,iv:LkH46cJ5r/PbUmbHRqBhrKB10lIS81pb10bXBTm6q7E=,tag:+HivETOzJiJag6fhZGWQ6w==,type:str] type: ENC[AES256_GCM,data:TSkrohpk,iv:pFO076kzSrkptzSakf0BgcjbXrEYgcUj04LlJxmiDvU=,tag:+YdUiC7tosieEWiPmfutug==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - recipient: age1v033rkzzzv3nxz7mcrqeffp45pn457ahgthng0q6f0u4t8z7h40s9w766y enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bUVIQ005Skx4VGp3YUxN eVRUZmptU0RSalJweFphN0M2NFRIN2tyRTJFCjR2SForS3lXcHNxUnlVUHcrTThH RlNiMWptdHZvWWtNSHFPSDEwRktQTGsKLS0tIHhrS3NhY09mcEQycVpuajJaM2lP eHFyV0FDaUdIb0tCU0daOCt3eTBQMncKsaZNn/utbBTDrtYRBc1pfdj2SftSaY9K RePoZFG33WNHET5vtwPnG6XOIqrpvebnhG02fg8UXU0URmeGHGuD5g== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-05-25T15:32:09Z" mac: ENC[AES256_GCM,data:IjPQvampszip+aXXL3QZNaIbEYMS6741Lv3mQY4FSCNDcFawhGMlBtqYWEMwCFHjx1uiKjws2kjvcqyWg5eYSbcHAaZlUrfHcTOYsOlZMggc1HfgkaW9ldF7GPkAR8pzftWhkghrAIhnvoRR6ZhNdkFgbs0omYHtOs9VynzPx+Y=,iv:EMMJ0H4wJ2yGC1MG0GuVUPtyMR1wODv+cMXWE1bVGKQ=,tag:7AE9bvF7bVBBKre3mmtc8A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3
- pass a
key.txt
to another environment, and export it to theSOPS_AGE_KEY_FILE
environment variable. Read more in thesops
documentation.