SOPS: Secure Secrets as Code

SOPS is a tool that provides the ease of hard-coded plain-text secrets with the security of a cloud-based vault to securely publish and managed secrets from inside your code. SOPS does this by generating encrypted files that can be safely committed to GitHub and bundled into your production deployments. These SOPS files are tracked in your repository to make sharing secrets easy between engineers while doubling as a localized vault running from inside your application at runtime. This makes adding, removing, and rotating secrets easier across both environments and teams by reducing the technical and human costs while avoiding the security implications of hard-coded secrets in open-sourced projects.

Hard-coded plain-text secrets

Example of hard-coded plain-text secrets in Node.

Environmental variables

Example of using environmental variables in Node.

Cloud-based vaults

Example of using environmental variables to pass in credentials to fetch and decrypt values from a cloud vault in Node.

SOPS

When coupling SOPS with a key-as-a-service provider like AWS Key Management Service (KMS), you can create a more robust cloud-based permissioning system akin to a standard cloud-based vault with little additional overhead. After setting up a private key in the cloud, you can easily configure SOPS to use your new private key to then grant decryption (read) and encryption (write) permissions on an individual and per runtime environment level through the key provider. This let you easily onboard and offboard engineers or only give read permissions to production environments while still managing your secrets as another part of your code³.

Real world example

Example SOPS library to decrypt a secrets.sops.json file in Node.

This switch from environmental variables to SOPS was night and day for our team because we no longer had to worry about setting up the development environment for microservices that we had little context about. Although, SOPS does have its limitations.

Limitations of SOPS

Having to write one of those packages myself for Node, a popular language, I can only assume support is also lacking for other languages. This means that if you want to adopt SOPS you likely will have to roll your own decryptor function in your preferred language. If you have control over your runtime, like inside a Docker container, you can likely install and hook into the SOPS tool from your application but I digress. Ultimately this is to say that to programmatically decrypt `.sops` files you will need to explore and likely write a solution that works for your use case.

Conclusion

References

[2]: HashiCorp Vault. (April 1, 2022). What is a Vault? https://www.vaultproject.io/docs/what-is-vault

[3]: McGrath, Chris. (June 20, 2019). https://oteemo.com/hashicorp-vault-is-overhyped-and-mozilla-sops-with-kms-and-git-is-massively-underrated/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Erik A. Ekberg

Software engineer with a background in human psychology and data analytics who affords both customer and engineer delight through Agile software architectures.