Why is SOPS preferable to other tools?

[lvh]

The README mentions credstash, sneaker as inspirations -- but why should I use sops over those tools?

[lvh]

Trying to answer my own question, but it seems that one difference is that SOPS does both GPG and KMS, whereas the others are focused on KMS. However, IIUC, SOPS only does one at a time -- e.g. there are no clever tricks where the session key is encrypted via KMS too, to support both?

[autrilla]

I'm not sure if it's what you're asking, but files can be encrypted (and decrypted) with KMS and GPG at the same time. When you encrypt a file with KMS and GPG you actually encrypt an AES256-GCM key with KMS and GPG. You can then use either KMS or GPG to recover the AES key and decrypt the file.

[lvh]

Oh, awesome! I missed that. Thanks :)

[lvh]

(I missed it because I was expecting it to work at the GPG session key layer, and have the core message still be an OpenPGP message -- just with a new encrypted session key, except instead of encrypted to a GPG key, encrypted to a KMS key. That sounds way more hairy than what you actually did, and is probably just a side effect of me overthinking OpenPGP message formats :-))

[jvehent]

When you encrypt a new document, sops generates a data key to encrypt each value of the document with AES256_GCM.

Then, the data key is encrypted with each master key. If you have 2 KMS and 2 PGP keys, you will have 4 versions of the encrypted data key. Each master key can decrypt the data key, and thus decrypt the document.

This mechanism allows us to encrypt with several KMS to use in multiple regions, and also encrypt with a backup PGP key stored securely in case we would lose access to KMS. This is one of the benefit of sops over other tools.

Another benefit, or inconvenient depending on how you see it, is the fact we don't encrypt keys in YAML/JSON documents. We only encrypt values. This allows us to maintain meaningful diffs when modifying documents stored in git, and merge changes when the same document is modified by two separate authors simultaneously.

[lvh]

@jvehent @autrilla Awesome, thanks -- that's incredibly helpful. I'm doing an overview of secret storage tools. Would it be OK to credit you by name, or would you prefer to remain anonymous?

[autrilla]

@lvh that's fine by me.

[jvehent]

@lvh: it's all public, feel free to name names ;) Also, you may be interested in https://www.youtube.com/watch?v=gUpCSgcChRk

[musicformellons]

Comparing to other key tools I was also wondering: credstash (aws kms) and gcredstash (google kms) use the kms, but also the cloud storage (of aws and google respectively) for the secrets. From what I see sops does not do this. Why not?

[autrilla]

@musicformellons I'm unfamiliar with what those tools do with cloud storage, but for SOPS, we don't want to lock in our users to any particular cloud provider. SOPS secrets are just files, and we let are users store them anywhere that they can store files. Nothing prevents you from putting SOPS secrets in S3 or Google Cloud Storage. In fact, I imagine most people do!

[neoakris]

https://oteemo.com/2019/06/20/hashicorp-vault-is-overhyped-and-mozilla-sops-with-kms-and-git-is-massively-underrated/ Feel free to put that on the Readme

[ChrisMcKee]

Redundancy (multi-signing already mentioned), cross platform, works pretty well for automation, simple api.