search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
15.77k stars 842 forks source link

SOPS mac_only_encrypted #1512

Closed cdvv7788 closed 1 week ago

cdvv7788 commented 1 month ago

I am trying to setup my .sops.yaml file to ignore unencrypted data.

Currently I am trying:

creation_rules:
- path_regex: .*test\.yaml$
  encrypted_regex: "^(secret)$"
  mac_only_encrypted: true
  key_groups:
    whatever

I am using that option based on what I found here https://github.com/getsops/sops/blob/main/config/config.go#L151

I can encrypt normally, but changing a value that is not encrypted is returning:

MAC mismatch. File has D9B9748797E046490BC4432DC40AB4A38750817647769079D1693B9FD8D26D14DF9852184707094D6A4F5DA6921271D10F291E457A7B0141894F75A641C1DE85, computed 33FCF2BAFEE86F970579A5B10C3B06A9930B114361C0ACAA2711BF68AB332583CC3BC0BB196C0E6ABE41F38FE1E508C777382E9F6D740F6CFF83EC47D89C96AB

Is this an example of bad usage? In that case, can you please document the proper usage?

To reproduce using sops==3.8.1:

  1. Create a test file named test.yaml:

    public:
test: this
secret:
test: shhh
    1. Encrypt the file in place with sops -e -i test.yaml 
      public:
test: this
secret:
test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
age:
- recipient: <age_public_key>
  enc: ...
lastmodified: "2024-05-21T15:21:04Z"
mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
pgp: []
encrypted_regex: ^(secret)$
version: 3.8.1

  2. Modify the public value that is not encrypted:

    public:
test: this-is-new
secret:
test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
age:
    - recipient: <age_public_key>
      enc: ...
lastmodified: "2024-05-21T15:21:04Z"
mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
pgp: []
encrypted_regex: ^(secret)$
version: 3.8.1

  3. Try to decrypt using sops -d test.yaml and get the error:

    MAC mismatch. File has 53D78D70FFC24EA217D3A1723A63507683FD8B5EECF667E4EB102B9BCF61E91D1F7C015C841ABB0645ABA2CE9AB20AE13EA544F31C75285C87A8F81F7790A8E5, computed 55578626998F8FDFF9EDC8504E2D096C9A025219056271BA1D24865F0284205179840D918521ADAD61E3A3DB3B7C2D9970E6B2526289726B919CDBEAC6944336
felixfontein commented 1 month ago

Please note that mac_only_encrypted only exists on the main branch, but not in a released version so far.

CC @getsops/maintainers

cdvv7788 commented 1 month ago

🤦 I didn't check that. The .sops.yaml file options are mostly undocumented explicitly, so I just assumed this was the case. My bad.

felixfontein commented 1 week ago

SOPS 3.9.0 is now out, with that this now works: https://github.com/getsops/sops/releases/tag/v3.9.0