Back to the talks Previous by track: Beguiling Emacs: Guile-Emacs relaunched! Next by track: Elisp and McCLIM Track: Development

Committing secrets with git using sops-mode

Jonathan Otsuka - Pronunciation: O-tsu-ka, https://github.com/djgoku/sops, pitas.axioms0c@icloud.com

Format: 15-min talk ; Q&A: BigBlueButton conference room
Etherpad: https://pad.emacsconf.org/2024-secrets
Status: TO_CAPTION_QA

00:00.000 Introduction
03:23.310 Q&A technical issues
07:39.188 Q: Can you describe some potential interactive uses for this within Emacs?
08:08.532 Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo?
09:12.067 Q: How do you decide whether to use SOPS or other solutions such as pass-cli?
10:23.630 Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?
11:11.983 Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext?
11:49.439 Q: can you describe some potential interactive uses for this within Emacs

Duration: 14:57 minutes

Description

This is my first Emacs mode, and it was primarily driven by necessity. The process was manual prior. I wanted to encrypt and decrypt all operations within my current Emacs instance. Currently, I have some notes on how to quickly decrypt and encrypt using AWS KMS. However, it works seamlessly with GPG. I need to add some notes on the age and GCP KMS.

https://github.com/djgoku/sops

About the speaker:

My name is Jonathan Otsuka. I have a background in software development and SRE/DevOps. In my free time, I enjoy optimizing my workflow, contributing to open-source projects I use, and engaging in swimming and cycling.

Discussion

Q: can you describe some potential interactive uses for this within Emacs. Is there some other activity that would be enabled with sops decryption first. Like an IT or configuration task that requires authentication
- So in the README right now, there is a block and it's called SOPS setup environment. I think it's a hook. Don't quote me. I haven't touched it in a while. I think that hook runs prior to doing any sort of decryption or encryption. So there's an example in the README for ways that you can set up your SOPS mode for AWS. You can set the profile. It was actually a pretty fun thing to add because with that bit of code, I can pretty much go to any one of our repos and decrypt and encrypt on the fly and not have to do much fanfare of like, well, what account or what profile do I need to switch to? I haven't looked at GCP yet or Azure, and that's kind of one of my future things. I need to maybe look into those to see what they look like and give example configs to help users. Hopefully that answered your question.
Q:Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo?
- A: They're saved as just text files so that you can do SOPs and encrypt like a binary. I think in the end, no matter what, they become just a text file, and then it does the encoding and decoding on the fly when you encrypt or decrypt. So no matter what it's going to be, I think it might just be a JSON in the end. Uh, so yeah.
- Q: Is all the information in the repo, how much would be off the repo?
Q: How do you decide whether to use SOPS or other solutions such as pass-cli? (Perhaps not exactly related to this talk)
- A:
Q:One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?
- A: The biggest use case that I've been using it recently is, Bitbucket has a way to... In a repository, you can store non-secrets and secrets. So we're trying to move the secrets into the repository and then allow the engineers to have access to that. Bitbucket variables is a black box. Since the devs can access it, it's manual work for everybody that has to deal with it. Since we're moving SOPS-encrypted files into the repo, now there's that trackability from who made the change and what it changed from, what did it go to, and just things like that. You can use it anytime you'd want to commit them.
Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?
- nixos - https://github.com/Mic92/sops-nix
  - https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
- guix - https://github.com/fishinthecalculator/sops-guix
- I think so, but I don't know how that package manager works, if it's just like some sort of "you decrypt and then you run the package manager," then yeah, that's a lot of our workflows. If we're doing a deployment and the container needs it, we'll decrypt, put that in whatever place, or source it if it's an environment file for the container, and then pass it in. I think it'd be a great choice there.
Q:Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext?
- A: You know, I might have actually accidentally did that today. I didn't actually see the resulting file. But that's a great question. Well, it's technically still binary, isn't it, at the end? You've got binary stuff that is being encrypted again. It's just double encryption. I'm pretty sure it works.

Transcript (unedited)

[00:00:00.000] Introduction

Yeah, my talk is committing secrets with Git via SOPS mode. So what is SOPS? SOPS came originally from Mozilla, and their acronym was Secret Operations, so S-O-P-S. It's a utility that allows you to encrypt pretty much any file you want and then have the ability to commit it or just share it with somebody that has the ability to decrypt it. I've mostly used it with AWS KMS, but there's a number of encryptions, ways you can encrypt it. Um, so yeah, that's what SOPS mode is. Most of the time I've used it is with application or deployment secrets--decrypt them on the fly during a pipeline run and then use them. We've also been using it for kind of a self-service for engineers to be able to say, if there's an API token that they need either in the container or that gets put somewhere else, that's another way to use SOPS. Just sharing secrets. The tooling, there's quite a bit of tooling for Terraform. You can just decrypt it and then use it however you want. Ansible, it's another place, and then Kubernetes... There'll be links at the very end. There's actually a Nix SOPS too. I think there's a link in the end. So yeah, I'll just show a quick demo. I'll actually show it in Emacs too, but this is the idea. I'm just going to create a file and then I'm going to encrypt it with age. Then we should see the encrypted file be output here. The idea is you can decrypt it there. So my talk was... the reason how my talk came about was there was no mode like this yet. So I didn't want to have to... What you can do is you can pass in the editor variable, set your Emacs, then call the command, but that opens a whole new window. I wanted to live in my current Emacs. So this is that same encrypted file that we just created. I'm going to quickly do C-c C-d. So now we're in the SOPS decrypted mode of the file. I can save this, or make changes and save it. And then it resaves it. I'll just show you that decrypting it shows what we changed. I think that's most of my talk. There's future stuff that I would like to do with this. There's no way to create SOPS files from scratch. And then just putting more documentation around the other ways you can set up your editor to decrypt. But yeah, here's all the links. I haven't uploaded this yet, but yeah, that is my talk.

[00:03:23.310] Q&A technical issues

[Leo] Okay. Thank you, Jonathan. Let me just make sure. So everything you've mentioned about putting stuff available to everyone, we'll make sure that everything ends up on the pad and on the website, so don't worry. Let me see if we can get up the pad for you. Do you have any preference with regards to the questions? Do you want to read them yourself or do you want one of us to read them for you? saying it out loud if there are some. Where is it? There you go. Do you have access to the pad on your end? Yep. Okay. Well, if you, since you're already showing your screen, if you can maybe switch the window to the one that is hosting the pad and feel free to start answering questions. Yep. It didn't look like we have any yet, but... Well, there's still coming, don't worry. We're just waiting for people to catch up. I probably need to make it bigger. Is it big enough or do I need to make it bigger? Right now, it's just a black screen on my end, so... Oh, wow. Weird. I can see it on mine, weirdly. Maybe it's just me. Let me check here. No, it seems to be just a black square, even on the stream. Try it again. That change at all? No, it's still black. Can you maybe start switching window and coming back to the one? Otherwise, I'll just stream it on my end. Yeah. All right, I'll do it. I'll take presenter in just a second. Yeah, sorry about that. Thank you. If I can take presenter, and I will share the screen. Sorry, I'm just trying to find a chat. There we go. Normally, I'm not supposed to be on the dev track, which is why I'm confusing all my windows. Give me just a second. Shell, casual. So we are on the dev track, and it is this one. There we go. No, that's not a guide, damn it. Secrets. And... There we go, finally. Ah. Probably just for the delay, do some jazz hands in the background as we did in the start. It feels like Yordle[??] Castle this year, where nothing works properly. That's right. All right. There we go. It's loading up. Obviously. There we go. All right. You should be able to see my screen now. Yep. All right. So, well, we've gone so far. Oh, it did stop. Damn it. Sorry, now it's BBB not behaving properly. That's right. Okay, let me just join, leave and join again. Okay. I just did exactly that for what it's worth. Nothing. All right. All right, I seem to be back. Let me show. And there we go. All right, everything is working. I'm not touching anything. So. Cool.

[00:07:39.188] Q: Can you describe some potential interactive uses for this within Emacs?

Yeah, I'll just start with the top. Can you describe some potential interactive uses for this with an Emacs? Um, I'm, I'm not actually sure what this means. Could we, could you add some more context maybe? Or, um, I think we'll maybe come back to that one. I'm not sure what, uh, potential interactive uses mean, but.

[00:08:08.532] Q: Is this saved in the repo or file as \"run sops here\" or is the encrypted blob in the git repo?

Yep. Uh, is this saved in the repo or file as run SOPs here? Oh, encrypted. They're saved as just text files so that you can do SOPs and encrypt like a binary. I think in the end, no matter what, they become just a text file, and then it does the encoding and decoding on the fly when you encrypt or decrypt. So no matter what it's going to be, I think it might just be a JSON in the end. Uh, so yeah. I'll try to, well, I can type out that answer, but all right. Don't worry about typing it out. We are gathering the recordings at the end, you know, even answers that are not provided, we'll type them out eventually. So don't stress too much about the actual answers being written. Okay. All right. So I'll go to the third one.

[00:09:12.067] Q: How do you decide whether to use SOPS or other solutions such as pass-cli?

How do you decide whether to use SOPS or other solutions such as pass-cli? The biggest use case that I've been using it recently is, Bitbucket has a way to... In a repository, you can store non-secrets and secrets. So we're trying to move the secrets into the repository and then allow the engineers to have access to that. Bitbucket variables is a black box. Since the devs can access it, it's manual work for everybody that has to deal with it. Since we're moving SOPS-encrypted files into the repo, now there's that trackability from who made the change and what it changed from, what did it go to, and just things like that. You can use it anytime you'd want to commit them.

[00:10:23.630] Q: One limitation with guix (similar package manager to nix) is there is no great way of storing secrets in the store, would SOPS be useful for this?

One limitation with GUIX is there's no great way to store secrets in the store. Yeah, I think, sorry... Let me. One limitation of GUIX is there's no way to store secrets in the store. Would SOPS be useful for this? I think so, but I don't know how that package manager works, if it's just like some sort of "you decrypt and then you run the package manager," then yeah, that's a lot of our workflows. If we're doing a deployment and the container needs it, we'll decrypt, put that in whatever place, or source it if it's an environment file for the container, and then pass it in. I think it'd be a great choice there.

[00:11:11.983] Q: Wacky question: what happens in sops-mode if you encrypt the already encrypted file as if it was plaintext?

A wacky question. What happens in sops mode if you encrypt an already encrypted file as if it was plain text? You know, I might have actually accidentally did that today. I didn't actually see the resulting file. But that's a great question. Well, it's technically still binary, isn't it, at the end? You've got binary stuff that is being encrypted again. It's just double encryption. I'm pretty sure it works. Yeah, probably. I'm going to go back up to the top one.

[00:11:49.439] Q: can you describe some potential interactive uses for this within Emacs

Can you describe some potential interactive uses for this within Emacs? Is there some other activity that would enable or it would be enabled with SOPS decryption first, like an IT configuration task. So in the README right now, there is a block and it's called SOPS setup environment. I think it's a hook. Don't quote me. I haven't touched it in a while. I think that hook runs prior to doing any sort of decryption or encryption. So there's an example in the README for ways that you can set up your SOPS mode for AWS. You can set the profile. It was actually a pretty fun thing to add because with that bit of code, I can pretty much go to any one of our repos and decrypt and encrypt on the fly and not have to do much fanfare of like, well, what account or what profile do I need to switch to? I haven't looked at GCP yet or Azure, and that's kind of one of my future things. I need to maybe look into those to see what they look like and give example configs to help users. Hopefully that answered your question. I think so. Continuing the theme of this, both of you being cursed, my X11 decided to crash. Nothing is going well with this one. Have you answered all the questions? I think so. Well, do you have anything else to add, perhaps? Maybe something that wasn't enough to fit in your live presentation? No, I'm excited to see the other talks and I hope everybody has fun too. Yeah, if you have any other questions, just email me. That's all. I got nothing. Okay, cool. presentation. It was, sorry for all the technical problems, we tried our best, but I think we still managed to have a live presentation, and we managed to have some questions from the crowd. So, as far as I'm concerned, I think we did a good job. I just have to say. It's been a privilege to jump in with it here and there and to just listen to the great conversations. which is going to be a similar format to this talk. We'll probably jump right into that in just about two minutes. We'll give you another countdown here. One second. Well, we arranged that and meanwhile, I just want to take my own little humble opportunity to thank you Jonathan, and I guess everybody else.

Questions or comments? Please e-mail pitas.axioms0c@icloud.com

Back to the talks Previous by track: Beguiling Emacs: Guile-Emacs relaunched! Next by track: Elisp and McCLIM Track: Development