sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
Learn more at their Github Repo
Mac
brew install sops
Not to knowledgible about this part yet. I know my co-worker set up two keys in AWS KMS. I added an export line to my .zshrc file.
echo "export SOPS_KMS_ARN=\"arn:aws:kms:us-east-1:2345628395234:key/2342gjs-235dga-4t2a-a5da-shet2298d7gahg,arn:aws:kms:us-west-2:2345628395234:key/2342gjs-235dga-4t2a-a5da-shet2298d7gahg\"" >> ~/.zshrc
Encrypt/Decrypt: sops outputs to stdout so it's useful to pipe it into a file.
sops -e test/test.yaml > test/test.yaml.enc
sops -d test/test.yaml.enc
Alternatively you can cat the data.
cat <<EOF | sops -e --input-type dotenv --unencrypted-suffix NO /dev/stdin
YES=encrypt_this
NO=not_encrypt_this
MAYBE=encrypt_this
EOF
"YES": "ENC[AES256_GCM,data:OPE5zmOrFP4SMZWC,iv:saiSspuVP36vrMfgQWCC9WsRiRwAe6C4Z4nc/6IXsHI=,tag:d7/IFLxo8+X/e3H5JMKPvw==,type:str]",
"NO": "not_encrypt_this",
"MAYBE": "ENC[AES256_GCM,data:pwurznSQz2tDvaHM,iv:2wdHTGO6lDhLE2Jz1FIWvRJEyjpKXlPQkbZd1W9d0wA=,tag:FN/YswKfhbuoi3tBXnc3FQ==,type:str]",
As you can see you can define which keys need to be encrypted.
cat <<EOF | sops -e --input-type yaml --encrypted-regex "name|app" /dev/stdin
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: update-adnet-partner-json-stage
namespace: adnet
labels:
app: update-adnet-partner-json-stage
spec:
schedule: "*/15 * * * *"
EOF
which results in
"apiVersion": "batch/v1beta1",
"kind": "CronJob",
"metadata": {
"name": "ENC[AES256_GCM,data:K973iWFrASuSZdCeFqgh2YGqLfKC8AezQB8XKEtHYw==,iv:o32OTBLToHZF5vJvRJwPGoI/cTnGOo/Dd5b/k4hJrf4=,tag:5zITjuGc1KkG88iNbpTYVw==,type:str]",
"namespace": "ENC[AES256_GCM,data:g5Alyg4=,iv:o443h02p8SDk6vJ4ZyufP4GVCFNBu/QMJKIg0pQxHVY=,tag:k6aIrl0XL90Z3CvnB7HLWQ==,type:str]",
"labels": {
"app": "ENC[AES256_GCM,data:mz+P6zmF9PU02HAD5/EPN3PFtw5qske6Cu/WAS5U9g==,iv:zs++v1s4rgVYp5EodmParjN2yZZ+/oj6WPLnFhMeNP8=,tag:6/CJm13JUpt/+U9RE0DvkA==,type:str]"
}
},
"spec": {
"schedule": "*/15 * * * *"
--decrypt, -d decrypt a file and output the result to stdout
--encrypt, -e encrypt a file and output the result to stdout
--input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type
--unencrypted-suffix value override the unencrypted key suffix.
--encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.
--unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.
--encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.