Securely Encrypting Secrets Using Open Source Tools: SOPS and AGE

Introduction

 In today's world, data security is of utmost importance, especially when dealing with sensitive information like passwords, API keys, and other confidential data. Encrypting secrets ensures that even if unauthorized individuals gain access to the data, they won't be able to decipher its contents. In this blog post, we will explore two powerful open-source tools, SOPS and AGE, that enable secure encryption of secrets.

Installing SOPS and AGE: 

Before we dive into encrypting secrets, let's ensure that we have SOPS and AGE installed on our system. You can download and install SOPS from the official GitHub repository.

SOPS → https://github.com/mozilla/sops/releases 

Similarly, AGE can be installed from its GitHub repository

AGE → https://github.com/FiloSottile/age/releases

Creating the Encryption Key: 

To get started, we need to generate an encryption key using AGE. Open your terminal and execute the following command:

age-keygen -o key.txt

the output of this command will be

age-keygen -o key.txt
Public key: age1rua2rfy0uhzywprgwclavsp39uhfwmrxpanutt4y3zfcjurjs3msa0hnu9

This will create an encryption key file named "key.txt". Next, copy this file to the location ~/.sops/key.txt. You can do this by running the following command:

cp key.txt ~/.sops/key.txt

Configuring SOPS Environment: 

To configure SOPS to use the AGE encryption key, we need to make an entry in our shell configuration file. If you're using the Zsh shell, you can open the configuration file using the following command:

nano ~/.zshrc

add following line to the .zshrc file

export SOPS_AGE_KEY_FILE=~/$HOME/.sops/key.txt

Save the file and exit the editor. This configures SOPS to use the AGE encryption key file we generated earlier.

Encrypting the Secret.yaml File: 

Now, let's encrypt the "secret.yaml" file that contains the secrets we want to protect. Here is the content of the "secret.yaml" file:

apiVersion: v1
kind: Secret
metadata:
    creationTimestamp: null
    name: dev-db-secret
data:
    username: root
    password: supersecretpassword

To encrypt this file, run the following command in your terminal:

sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE | grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

This command uses SOPS along with the AGE encryption key to encrypt the file in-place. The --encrypted-regex option specifies the fields that should be encrypted (in this case, all fields under data and stringData).
Now the secret file has been encrypted as

apiVersion: v1
kind: Secret
metadata:
    creationTimestamp: null
    name: dev-db-secret
data:
    username: ENC[AES256_GCM,data:hW4VXQ==,iv:nkM9UHvHwTx6oUvjcfq/olO/FcuijHvrVmJZfT2eB6k=,tag:pBV7nvNbGSauOCSy5Bar4Q==,type:str]
    password: ENC[AES256_GCM,data:QX7Bb5Idlyf+0sVsTbRaQd4afQ==,iv:VHu8vnW5vfSW7c4fuBNUAznhH+j2QTfij6iPFd9ww0U=,tag:RSd8e6JNbPhGuYFqOcHNAg==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1w6mnsqrank3f3e9rxv6xz4nnpnvrr9zyed2zsm8jkyya8gq5zazqzt58sm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdzhOQjV0VlBjT0cvSUtk
            VlVBcU11RG5DRkNWTzROdlNrVHo2bUhVK0NnCmNvR3hJSjY5VHFoMm5Va2ViMFho
            b1k1MFhaM0hOa2p1ODh0R25Vb3NsOWsKLS0tIHZSdy93MVhtZGlwL2M5UktpSDds
            UkdHa0VqcTl3TGM0MXpzMXlJeEJrdUEKdVQmdzWWndJQ1V3WZjgIEB5vQXPM5QfZ
            zv7WhnpN0gHMn2G8oZYbSmIPPT0UFI7+JaySZ5EkZeP/vqcK1Qhmow==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-05-21T14:20:25Z"
    mac: ENC[AES256_GCM,data:kAr8Meo9jeMvfAgiMwhSWIVwaLVd7sU9XHck51hgA67qenE6ORlm2yZcZ75LWo1WkTGoZ+sUdByyYKMFR+zc2SHTT9fnYtLrREtBv9xHz6Kbn/rOEDGDmCNQcBLhQbPdRjzA67rrA8M0V337IJYiIywID2ur8OSXlOSF2M2vW8I=,iv:ZKLCPfpJBcLr8oG/sIVqLbZqd74UMKpS9+YSgQdDsy8=,tag:p6WgJJ3DsCdNbZB9coolhg==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3

Decrypting the Secret.yaml File:

 If you need to access the decrypted contents of the "secret.yaml" file, you can use the following command:

sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE | grep -oP "public key: \K(.*)") --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

This command will decrypt the encrypted fields in the file, allowing you to view and modify the secrets as needed.

Conclusion: 

Encrypting secrets is crucial for maintaining data security. In this blog post, we explored the usage of two open-source tools, SOPS and AGE, to encrypt and decrypt secrets. By following the steps outlined, you can effectively protect sensitive information and ensure its confidentiality. Remember to always store your encryption keys securely and follow best practices for secret management to maintain a robust security posture in your projects.

Youtube --> YoutubeVideo