Skip to content

Instantly share code, notes, and snippets.

@gebv

gebv/README.md

Last active January 4, 2023 19:04
Show Gist options
  • Save gebv/3772379bbcdeeb7bf8f0d2f39f390251 to your computer and use it in GitHub Desktop.
Save gebv/3772379bbcdeeb7bf8f0d2f39f390251 to your computer and use it in GitHub Desktop.
Download ZIP
GPG and sops by mozilla
Raw
README.md

GPG and sops by mozilla

SOPS

Setup

Create .sops.yaml. More info https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files

creation_rules:
  - path_regex: .*\.secrets\.yaml$
    # list keys for access
    pgp: >-
      112233112233112233112233112233112233,
      ...

Manage access

# for specified file
sops -r -i -add-pgp NEWNEW123123NEWNEW my.interested.yaml.file
sops -r -i -rm-pgp NEWNEW123123NEWNEW my.interested.yaml.file

# specified pgp keys in .sops.yaml
sops updatekeys <enc file>

Usage

TODO sops exec-env example commands TODO sops exec-file example commands TODO sops --extract

In CI (github actions)

echo '::add-mask::$(sops exec-file .secrets.sops "cat {} | cut -d = -f 2-")'
sops exec-file .secrets.sops "cat {} >> $GITHUB_ENV"

enc for specified gpg-keys

sops --pgp 123123123,\
           098098098 \
           -e my.secrets > my.enc.secrets`

decrypt a file and output the result to stdout

sops -d my.enc.secrets

GPG

Create new key

Before

# add to ~/.zshrc or ~/.bash_profile
export GPG_TTY=$(tty)
gpg --full-gen-key
# Kind of key: 4 (RSA, sign only)
# Keysize: 4096
# Expiration: ?
# Real name: <your name>
# Email address: <your email>

# test yourself
echo 'it works' | gpg --clearsign

Import enc key

enc key is provided to a third party

# list all keys
# gpg -K 

gpg --export -a "$EMAIL" > public.key
gpg --export-secret-key -a "$EMAIL" > private.key

gpg --import public.key
gpg --allow-secret-key-import --import private.key

Export and restore

# export
gpg -o private.backup.gpg --armor --export-options backup --export-secret-keys <email>

# import
gpg --import-options restore --import private.gpg

# trust the keys
gpg --edit-key <email>
# gpg> trust
# Type 5
# Confirm
# gpg> quit

troubleshooting

if sops -e source.file out.file return error

[PGP]	 WARN[0000] Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.
Could not generate data key: [failed to encrypt new data key with master key "112233112233112233112233": could not encrypt data key with PGP key: github.com/ProtonMail/go-crypto/openpgp error: key with fingerprint 112233112233112233112233 is not available in keyring and could not be retrieved from keyserver; GPG binary error: gpg binary failed with error: exit status 2, gpg: 112233112233112233112233: пропущено: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key

gpg -K

path/to.kbx
------------------------------
sec   rsa4096 2023-01-04 [SC] [   годен до: 2025-01-03]
      112233112233112233112233
uid         [  абсолютно ] username <email>

gpg --edit-key 112233112233112233112233
$ change-usage
# enable enc
$ 0
# type secret phrase
$ ctrl+D
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment