README.md

README

Demonstrate how to use Mozilla SOPS.

Refer to terraform_examples/19_sops

Install sops

brew install sops

# show version
sops -v  

Install gpg

Instal gpg tooling

brew install gpg            
gpg --version       

# compare to latest
open https://www.gnupg.org/download/

Create gpg key

Create the gpg locally here

# check if you have a key already
gpg --list-secret-keys --keyid-format=long  

# generate a key - use noreply chrisguest75@users.noreply.github.com
# enter a passphrase
gpg --full-generate-key         
# for older versions
gpg --default-new-key-algo rsa4096 --gen-key

# answers
> (1) RSA and RSA
> What keysize do you want? (3072) 4096
> Real name: SOPS Test
> Email address: sops@guestcode.dev
> Comment: Testing SOPS
> You selected this USER-ID:
>    "SOPS Test (Testing SOPS) <sops@guestcode.dev>"
> password: testsops

# see generated keys
gpg --list-secret-keys --keyid-format=long  

# export the key in armor format
gpg --armor --export XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Encryption

# set key thumbprint
export SOPS_PGP_FP="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 

# encrypt
sops -e ./my_secrets.json  
sops -e ./my_secrets.json > ./my_secrets.enc.json    

Decryption

# if you have a password on the pgp key
gpg-agent
GPG_TTY=$(tty)                                     
export GPG_TTY

# now decrypt
sops -d ./my_secrets.enc.json  

Import/Export keys

gpg --export-secret-keys "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pgp.key

gpg --import XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.pgp.key

Clean keys

unset SOPS_PGP_FP 
gpg --delete-secret-keys "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 

Resources

• SOPS: Secrets OPerationS here
• PGP and SOPS Gist here
• gpg.mozilla.org service has ended here
• GPG 4.3 Configuration files here
• Public keyserver keys.openpgp.org here
• Cannot decrypt with GPG 2.2.5 and SOPS 3.0.0 here