search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.17k stars 854 forks source link

Can't change encrypted_regex from CLI #1153

Open filip-zyzniewski opened 1 year ago

filip-zyzniewski commented 1 year ago

I am trying to add a new secret value to a YAML file and update the encrypted_regex so that this value is encrypted.

Attempt:

$ sops --version
sops 3.7.3 (latest)
$ cat secret.yaml 
password: ENC[AES256_GCM,data:gDkW,iv:NS3yipzHEATLue4hgkgynWy70kBE0VyfIOfIwzO5tX0=,tag:JSy9l30aySFO/nKTEdpbEg==,type:str]
sops:
    kms:
        - arn: arn:aws:kms:[...]
          created_at: "2022-12-06T11:54:38Z"
          enc: AQICAHgPu6n0DgaUaOs+2vLXKG46nRyFxexyCFr+GmAXlP16QQGFsRAlLSYZASnnNHlJdeLyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMXdmO7cE8kd+wTl9SAgEQgDv+wXle3g/HVtd7W+ENkmnMJtHn0xCOxnZg9lgNsg/G9EBOgTn1c3t8gcJv0NQfc9IOxgHJmjbaECRVVA==
          aws_profile: ""
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2022-12-06T11:54:39Z"
    mac: ENC[AES256_GCM,data:u0g01TmX5ydNNiFJFTsIRyz9314yn18XyXMXuJughQEd0rjgHvGp/MAeqc6Ny1FQ4qe6QH587Vxx/Dz+yCqQrWJ4FC9v6qHJsPRxJxcyjs7oXECe6tqce7R6hOBsz1Psp/ZMnYYLuvWbM2zKyFo58OMJwM6QZqo6K9LYSgHZQMU=,iv:kOAS32B0ZEk+moNibLnDmCa5bKZFRX3B5Lct/nRPrd4=,tag:ozKxdscoJA0Ldt8SPh35Mw==,type:str]
    pgp: []
    encrypted_regex: password
    version: 3.7.3
$ sops --in-place --encrypted-regex 'password|secret' secret.yaml  # added `secret: bar` as the second line 
$ cat secret.yaml 
password: ENC[AES256_GCM,data:gDkW,iv:NS3yipzHEATLue4hgkgynWy70kBE0VyfIOfIwzO5tX0=,tag:JSy9l30aySFO/nKTEdpbEg==,type:str]
secret: bar
sops:
    kms:
        - arn: arn:aws:kms:[...]
          created_at: "2022-12-06T11:54:38Z"
          enc: AQICAHgPu6n0DgaUaOs+2vLXKG46nRyFxexyCFr+GmAXlP16QQGFsRAlLSYZASnnNHlJdeLyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMXdmO7cE8kd+wTl9SAgEQgDv+wXle3g/HVtd7W+ENkmnMJtHn0xCOxnZg9lgNsg/G9EBOgTn1c3t8gcJv0NQfc9IOxgHJmjbaECRVVA==
          aws_profile: ""
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2022-12-06T11:55:33Z"
    mac: ENC[AES256_GCM,data:bL6JI2Dx7/W2AMzexis+nIMDU5GD3nV35lOZ2zaCX/+HyzIw+LPJ27I1JdMtuCEiX7MvX0Fk9HGrwBLxJvDiiP5JIHviWaOMUbWTqnbfeOo1e+6ZsQr1sFgWP2MLySQZRTj9jJUr/CJe68fZAD+vLYfEiQ7tOaMmt+o/eWap77M=,iv:pi/ZYWe8SB5QPqstDAI+olJkxhVZGwWMXx/gBSII6NY=,tag:ZD7QURzgU3PWhvGA2D+HKw==,type:str]
    pgp: []
    encrypted_regex: password
    version: 3.7.3
$

I expected bar to be encrypted and encrypted_regex to be changed to password|secret in the YAML file, but neither of those have happened.

tomkukral commented 1 year ago

I'd love to have this feature as well. Workaround is to decrypt file, edit plaintext and encrypt again but having support of updating encrypted_regex in CLI would be awesome.