Use `sops` instead of `git-crypt` + `ssh-vault`

[choldgraf]

Proposed change

I just spent 30 minutes trying to set up git-crypt and ssh-vault again from scratch, and I cannot for the life of me figure it out. What do people think about switching our secrets authentication to instead use the sops tools from mozilla? We've been using it in 2i2c, and doing authentication via gcloud instead of via passing around a private key. This seems like a more streamlined and secure process (since we can more easily give and take away access, and since it'll be explicit who has access because it will depend on their membership in the project).

In case it is helpful, here is the 2i2c team documentation on sops. We have been using it for a while and it has been quite nice IMO!

Alternative options

We can improve the documentation around how to install ssh-vault and git-crypt, and how to use them to decrypt secrets.

Who would use this feature?

Any team member who needs access to these secrets!

[choldgraf]

Note for future - here is what I have tried to get git-crypt working, but still without success:

• Read the instructions at https://mybinder-sre.readthedocs.io/en/latest/getting_started/production_environment.html?highlight=secrets#secrets
• Hand-downloaded ssh-vault for linux and un-tar'ed the executable into a folder
• Downloaded git-crypt with apt-get
• Grabbed the SSH key from my bitwarden and put it in a local temporary file
• Ran ./ssh-vault -o clear-git-crypt-key view ./git-crypt-key
• Got this error: Decryption failed, use private key with fingerprint: f0:15:1d:29:83:cc:bb:06:6b:bc:59:1d:51:74:56:52

[manics]

I don't have access to any git-crypt secrets but from the description sops with external auth sounds sensible!

If you're re-encrypting secrets as part of this process it might be a good time to rotate them?

Is this related to the OIDC integration between GitHub workflows and cloud providers which means you can get rid of the hard-coded secrets needed to authenticate the workflow for the deploy? https://docs.github.com/en/actions/deployment/security-hardening-your-deployments

[minrk]

I'm fine with any reasonable secret-sharing tool folks like. Can sops encrypt whole files? I think we do need that.

[sgibson91]

Can sops encrypt whole files?

Yes, this is primarily how we use it at 2i2c :)

[sgibson91]

you can get rid of the hard-coded secrets needed to authenticate the workflow for the deploy

One key is required to authorise the workflow to get access to the SOPS encryption key: e.g., a Service Account if your backend is in Google Key Management. This is 2i2c's deployment file if it helps https://github.com/2i2c-org/infrastructure/blob/master/.github/workflows/deploy-hubs.yaml

[minrk]

Gotcha, I saw notes about encrypting lines instead of files. 👍 to anything that makes folks' lives easier. I'll let one of the 2i2c people who has experience with sops take the lead on migration, if folks want to do that.