Secrets
Passing secrets on the command line is bad practice. The most frequently used workarounds are :
-
Storing the secret in a file: the secret does not appear in the history, but is recalled from the command line with
$(cat ./secretFile). But we often forget to delete the file after operations have been completed, and the secrets are scattered (unencrypted) across the job servers. -
Bad idea: Add a space at the beginning of the “bash ” command. Well-known to sysadmins, this trick avoids logging the commands executed. In practice, this space is often forgotten, and in a shared environment, this is **especially bad practice**. In the event of a problem, the absence of a history makes troubleshooting a complex task.
The proposed solution is native support for SOPS for inventory files. This device enables encrypted secrets to be stored and integrated into a Git repository.
When the ‘-i’ parameter is used with the “run” command, “automation-cli” automatically detects the type of this inventory. If it is encrypted with SOPS, “automation-cli” uses your SOPS environment to attempt to decrypt it. **Decryption is performed in RAM, and no copies are made to disk.
[...]// using sops binay with current SOPS environment - result is redirect to variableconst decryptedContent = execSync(`sops --decrypt ${this.filePath}`);// document is parsed from variable contentyamlDoc = parseDocument(decryptedContent.toString());[...]Installing and initializing SOPS
SOPS is a project developed by the Mozilla Foundation. The aim is to be able to publicly expose files containing secrets (Git repository). The use of encrypted files requires the decryption key. Document structure is preserved, and supports YAML, env, INI, JSON…
The encryption keys used are “age”.
sudo apt-get install -y ageversion="3.9.1"platform="amd64" # ou arm64package="/tmp/sops.deb"sudo wget -O "${package}" "https://github.com/getsops/sops/releases/download/v${version}/sops_${version}_${platform}.deb"if [ -f "${package}" ];then sudo dpkg -i "${package}"else echo "File ${binary} not found" exit 1fiCreating an ‘age’ key
This key will be used by SOPS to encrypt and decrypt SOPS documents.
# idempotent method# Default user storage path "(home directory)/.config/sops/age"mkdir -p ~/.config/sops/ageage-keygen >> ~/.config/sops/age/keys.txtchmod 600 ~/.config/sops/age/keys.txtThe standard output shows the public key that will be used to encrypt your documents.
Saving the key in a password manager
cat ~/.config/sops/age/keys.txtA secret is established on 3 lines:
# created: 2024-08-16T14:36:52+02:00# public key: [public key]AGE-SECRET-KEY-[private key]Copy the three lines into your password manager or encode them with base64: echo "[content]" |base64 -w 0.
Adding an existing key
You already have a key stored in a team password manager, for example, so you can add it to your (existing or non-existent) portfolio.
# idempotent method# Default user storage path "(home directory)/.config/sops/age"mkdir -p ~/.config/sops/ageecho "[key to add (3 lines)]" >> ~/.config/sops/age/keys.txt#or with base64 contentecho "[base64 content]" |base64 -d >> ~/.config/sops/age/keys.txtchmod 600 ~/.config/sops/age/keys.txtCreating an encrypted inventoryFile with SOPS
New file
sops edit --age [age public key] inventory.yamlExisting file
sops encrypt --age [age public key] inventory.yaml > inventory.yaml.enc# delete originalrm inventory.yaml# rename crypted file to inventoryFile original file namemv inventory.yaml.enc inventory.yamlHandling encrypted files with SOPS from the command line
sops [file full path]By default, sops uses the “vi” editor. To use the editor of your choice (e.g. nano), prefix the command with : EDITOR="nano" sops [file full path].
Handling files encrypted with SOPS in VSCode
- Install the : @signageos/vscode-sops.
- Open the encrypted file, you’re working on a copy (decrypted), with each modification the “clear” content is encrypted in the original file.