search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.99k stars 878 forks source link

Allow adding to a secrets file, without being able to decrypt? #1178

Closed ScottPierce closed 1 year ago

ScottPierce commented 1 year ago

I'm trying to create a secrets.json file that can be checked into git. I want for my entire team to be able to add / encrypt a value to the secrets file, but not decrypt a value. We're using Google Cloud to manage access to the encryption key. When I give the Cloud KMS CryptoKey Encrypter permission, and run the following command, I get the following error:

sops --set '["app2"]["key"] "app2keystringvalue"' secrets.enc.json
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  projects/example-project/locations/global/keyRings/example/cryptoKeys/sops-key: FAILED
    - | Error decrypting key: googleapi: Error 403: Permission
      | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource
      | 'projects/example-project/locations/global/keyRings/example/cryptoKeys/sops-key'
      | (or it may not exist)., forbidden

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

When I add the Cloud KMS CryptoKey Decrypter permission, everything seems to work fine.

Is there a way that I can allow people to add things to the file, without requiring that they have permission to decrypt the entire file?

hurzelpurzel commented 1 year ago

That doesn't make sense. Changing a file without decrypt permission could break the integrity. One solution could be that you create a new team key for the whole team and share it. Maybe you can use a second backend like age to avoid the permission issue.

ScottPierce commented 1 year ago

Then that would mean that anyone who can add a secret, can also decrypt all the secrets. How would that be overcome?

hurzelpurzel commented 1 year ago

Ok. I agree. Sorry if overread your requirements to add but not to be able to decrypt all values. I'm not sure if it is possible to define different public keys for different attribute regex within a file in the .sops.yaml. You can define regex to associate files to public keys as far as I know, but I guess not for attributes. Sorry.

ScottPierce commented 1 year ago

thank you