search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
17.1k stars 879 forks source link

Encrypting Files in Place via a Go API #1094

Open ChrisJBurns opened 2 years ago

ChrisJBurns commented 2 years ago

Currently, as far as I'm aware there is no way of encrypting a file in-place using SOPS via Golang.

I'm essentially looking for an API to be exposed that does the equivalent of the following command: sops -age=age1ykphy2fuc0rmtewtpml69670s9dydkneum384tsj6z480lljmvqqx4kj8u --encrypt --encrypted-regex '^(data|stringData)$' --in-place secrets.yaml

The above command edits a secrets.yaml file in place which after encryption will contain the following:

apiVersion: v1
kind: Secret
metadata:
    name: keys-keys
    namespace: flux-system
type: kubernetes.io/tls
data:
    tls.crt: ENC[AES256_GCM,data:KGPw+zpAKHDA+Yh44pNhLexMgvY5HYXIx0mteQiz3JapMlfB9Cc2iDx47gnrLrAFJoE2s2OPza8S3RhlOP4Cv23KFhp1T4n7Dd0vIf83zWQmP5Hau4oM8AX8+B280ysl5HXFKx6w+PwNTwHE+xp7ssHvuW3NCBbNIg/re/1axQaShENxsWv+g0ivJuyAr4hag3O+rW2TP0ZG5Djc6KkTdUc6qd6JBE3QLzzfCXA+kb+bAnSxHr74hYIBeXprlFPCFJbmxsAetg/oczW6a8fU73FTAjGwBFaGw5o+Q+q+dWawLA0MKYGeUqejQTGghwVAgux1mCrUGjDBd6VMh+S2Ss593UBVjAjP22HnTA/oFJUlawkfEdseBUCw2vAeki4qfpTBeAQRJfHpWZzEcafPuHLM3xIXDiEanOiE1482FP8qmqZ7bp3jX3aK9KfFo677+ychmg==,iv:oZaz5X5TxgDWrN4g9j1WW2k4NJ+5YfUeqFIUkThsnuM=,tag:YvBR12Gsh9C6GFClOn8xqw==,type:str]
    tls.key: ENC[AES256_GCM,data:QiZRPx6eUpDSpgG4zNvEzWiFfAm+FeOZmNu4gcEHjnXdB0Pa9fNo+ZKhq0XDff2nYODDlQT3I4Cl+peDCUeBqJcAReRINupc7IA2DQRU7qkQfu42ZQbcrEQ/eqGBDRIHNrhDthc1Sg8uHPqJsSmPIiwpiD2FHh4tPxDUAbqupYin6O+FLR9LgdF5anWmRqO6z5JGQ3T+suH9JJ4/CfzmkIXS85s43XkRS39uM9r+bKBhgLxWHCxiUsZLnq4JAgOl/87cvrtMb1MrCvuGi9kWsGi30GgYTbfKub0ylb+hb0FbUWsRwSy1HuCaEMLw2vj9KYqMsrTGe7ECso9O4wAinErandI1nT4L6FVb6MaWe1t9vghqqfa46/wSxEpBKH+gE3uBu1KR7g4a2868ziOgpwjq3ETcLco/w3czrfCPbKULEDR3Vg6qa0kEdfhlaGa0XK0xT9kHbq6BGa60RqXEUOdNyOGRWE4Zi1lT71WWnCunNNLlp6dU3JKIiKO3kdlfC3j/Rzvn71HwMItv+rcNShW/ajeIuJpxHd7DI7/XZpkhrhktodTLeLvgDV7dHJC05ZNzb39g5moOkVavMERlMb6RAs/UQGY96wSvsV6SYPbuBJYMnnoVuYvPtsDisrLyQaEq2zSL03l9xwKhxCTWhg==,iv:ENjiDPZ7Myv1c/y4vPh2Lu/FEUqXoS5iCO4LUkHxqt4=,tag:OLMlo++6cvkqCNWxMvIzoQ==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1ykphy2fuc0rmtewtpml69670s9dydkneum384tsj6z480lljmvqqx4kj8u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Y3d5OXpWa0l5MWlvTzNp
            TkZsemFqa0d6QWxqLzk4R3lFZ00xNG5GOHdRCmg4cEVKaVBXaWYvMVpFcVRiMWRW
            bWJhYWZDWmZsNmJQd1gwdllMRUhoNlEKLS0tIFlRZ0ZQR3dxeTFsekhMSlIvOFdY
            WDZrZG9pWUZibFVmczFIMDhlYkhsUFEKDq0+SemlbsxqbXlph15Z2DmEn8s6C+y6
            l6xRX1nBzY0nE7KF8dLfJmPLv8PgdIZbumOmR6ZJzys/thfoxQ4lmA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-07-23T21:31:04Z"
    mac: ENC[AES256_GCM,data:SVf2CZIThnbuVboT/HZWBcVkaAJePOcyFM3nJGW62CtAkVtnBVjAUelYrCXjOgkaKHrx5lY1ozBy+0Ybo1MohkIBQlNgiA8nq5vQ4eh60k7m1MFZsUBBRJJCCNdOY96UYTM8W3HmZxBRjhaAd4pfWUQfTA3YQG+JZehS+o785PY=,iv:LNTs0DiuByuDhmZwIAVVXzit2trzJErOcmq5CYme8yU=,tag:YORiRZ+EyVMe3BJTqdYN9Q==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.1

Is it possible for something like this to be exposed via an API?

Something like the following (although I may be way off with the internals of how some of the methods work, but I hope it paints a good picture of what I'm looking for)

identity, err := age.GenerateX25519Identity()
if err != nil {
fmt.Println(err)
return
}

pubAgeKey := identity.Recipient().String()

fileContent, _ := ioutil.ReadFile("secrets.yaml")
branches, _ := (&yaml.Store{}).LoadPlainFile(fileContent)
tree := sops.Tree{Branches: branches}

tree.Metadata.EncryptedRegex = "^(data|stringData)$"
tree.Metadata.InPlace = true
r, err := tree.Encrypt(pubAgeKey, aes.NewCipher())
if err != nil {
panic(err)
}
saadansari93 commented 2 years ago

Hi, even am looking for a way to programmatically do all the stuff that can be done via sops cli. Do we have any references for golang examples which showcase this ability?

Thanks

ChrisJBurns commented 1 year ago

I'm not entirely positive that there is a way of programmatically doing the same in Go as a sops -e -i file.yaml without actually using the sops binary itself and calling it in the Go code.

0xinterface commented 9 months ago

after some digging through the source, this is an example to perform encryption in place using go, hope it helps whoever come across this in the future

main.go


import (
    "fmt"

    "filippo.io/age"
    "github.com/getsops/sops/v3"
    "github.com/getsops/sops/v3/aes"
    keysource "github.com/getsops/sops/v3/age"
    "github.com/getsops/sops/v3/cmd/sops/common"
    "github.com/getsops/sops/v3/keys"
    "github.com/getsops/sops/v3/keyservice"
    "github.com/getsops/sops/v3/stores/json"
)

func main() {
    identity, err := age.GenerateX25519Identity()
    if err != nil {
        panic(err)
    }
    fmt.Println(identity.String())
    fmt.Println(identity.Recipient().String())
    if err != nil {
        panic(err)
    }
    store := json.Store{}
    branches, err := store.LoadPlainFile([]byte(`{"foo": "bar"}`))
    if err != nil {
        panic(err)
    }
    fmt.Println(branches)
    masterKey, err := keysource.MasterKeyFromRecipient(identity.Recipient().String())
    if err != nil {
        panic(err)
    }
    tree := sops.Tree{
        Branches: branches,
        Metadata: sops.Metadata{
            KeyGroups: []sops.KeyGroup{
                []keys.MasterKey{masterKey},
            },
            UnencryptedSuffix: "_unencrypted",
        },
    }

    dataKey, errs := tree.GenerateDataKeyWithKeyServices(
        []keyservice.KeyServiceClient{keyservice.NewLocalClient()},
    )
    if errs != nil {
        panic(errs)
    }
    common.EncryptTree(common.EncryptTreeOpts{
        DataKey: dataKey,
        Tree:    &tree,
        Cipher:  aes.NewCipher(),
    })
    result, err := store.EmitEncryptedFile(tree)
    if err != nil {
        panic(err)
    }
    fmt.Print(string(result))
}
rgarcia commented 3 months ago

If anyone is looking for a programmatic decrypt, here's an extended example. Would love a better way besides setting an env variable with the private key...

package main

import (
    "fmt"
    "os"

    "filippo.io/age"
    "github.com/getsops/sops/v3"
    "github.com/getsops/sops/v3/aes"
    keysource "github.com/getsops/sops/v3/age"
    "github.com/getsops/sops/v3/cmd/sops/common"
    "github.com/getsops/sops/v3/keys"
    "github.com/getsops/sops/v3/keyservice"
    sopsjson "github.com/getsops/sops/v3/stores/json"
)

func main() {
    identity, err := age.GenerateX25519Identity()
    if err != nil {
        panic(err)
    }
    fmt.Println(identity.String())
    fmt.Println(identity.Recipient().String())
    store := sopsjson.Store{}
    branches, err := store.LoadPlainFile([]byte(`{"foo": "bar"}`))
    if err != nil {
        panic(err)
    }
    fmt.Println(branches)
    masterKey, err := keysource.MasterKeyFromRecipient(identity.Recipient().String())
    if err != nil {
        panic(err)
    }
    tree := sops.Tree{
        Branches: branches,
        Metadata: sops.Metadata{
            KeyGroups: []sops.KeyGroup{
                []keys.MasterKey{masterKey},
            },
            UnencryptedSuffix: "_unencrypted",
        },
    }

    dataKey, errs := tree.GenerateDataKeyWithKeyServices(
        []keyservice.KeyServiceClient{keyservice.NewLocalClient()},
    )
    if errs != nil {
        panic(errs)
    }
    common.EncryptTree(common.EncryptTreeOpts{
        DataKey: dataKey,
        Tree:    &tree,
        Cipher:  aes.NewCipher(),
    })
    result, err := store.EmitEncryptedFile(tree)
    if err != nil {
        panic(err)
    }
    fmt.Print(string(result))

    if decrypted, err := decryptJSON(string(result), identity.String()); err != nil {
        panic(err)
    } else {
        fmt.Println(decrypted)
    }
}

func decryptJSON(encryptedData, privateKey string) (string, error) {
    id, err := age.ParseX25519Identity(privateKey)
    if err != nil {
        return "", fmt.Errorf("failed to parse private key: %w", err)
    }

    store := sopsjson.Store{}
    tree, err := store.LoadEncryptedFile([]byte(encryptedData))
    if err != nil {
        return "", fmt.Errorf("failed to load encrypted JSON: %w", err)
    }

    os.Setenv("SOPS_AGE_KEY", id.String())
    defer os.Unsetenv("SOPS_AGE_KEY")
    if _, err := common.DecryptTree(common.DecryptTreeOpts{
        Cipher:      aes.NewCipher(),
        Tree:        &tree,
        KeyServices: []keyservice.KeyServiceClient{keyservice.NewLocalClient()},
    }); err != nil {
        return "", fmt.Errorf("failed to decrypt tree: %w", err)
    }

    decryptedData, err := store.EmitPlainFile(tree.Branches)
    if err != nil {
        return "", fmt.Errorf("failed to emit plain file: %w", err)
    }

    return string(decryptedData), nil
}