Comments (10)
Hi @Legomaniac, sorry for the late reply, it seems that I skipped the notification for this issue.
I've been thinking about this exact feature for a while now. I think it would be very valuable to have. Implementation is somewhat tricky, we basically have 3 options:
- create a top level
unencrypted
key, under which every is in clear - allow prepending a suffix such as
_clear
to keys in the tree, which would force sops to skip that branch entirely (everything underneat it would be in cleartext) - support some form of pattern matching that's user configurable to define what should be in clear and/or encrypted. For example, starting
sops
with--unencrypted "key1|somekey2"
would treat the flag value as a regex to leave both "key1" and "somekey2" in cleartext. Similarly, we could have a flag--default-unencrypted
paired with--encrypt "key1|somekey2"
to leave the whole document in clear except for "key1" and "somekey2". This option is a lot more complex to implement that 1 or 2, but provides more flexibility.
I have a small preference for option 2, but could be convinced that other options are better.
from sops.
I am impartial to option (2) as well; it allows similar configuration items to be placed side by side and is obvious to humans (whereas unencryped
would require starting from root node always (bad for branches) and the --unencrypted
CLI flag seems prone requires 2 steps from humans).
One other option which is YAML specific would be to define a custom YAML tag (e.g. !enc
) to use in the value (e.g. !enc "hello-world"
). Here's an example from Charlatan which uses !now
to load the current time as a value:
https://github.com/uber/charlatan/blob/0.4.6/charlatan/file_format.py#L96
https://github.com/uber/charlatan/blob/0.4.6/charlatan/file_format.py#L40-L50
https://github.com/uber/charlatan/blob/0.4.6/charlatan/tests/data/special_tags.yaml
http://pyyaml.org/wiki/PyYAMLDocumentation#Constructorsrepresentersresolvers
from sops.
I'm not to thrilled about the idea of getting into custom yaml parsing. It would be tricky to implement, and it doesn't work with JSON. I think implementing option 2) is the way forward. Since I likely won't have time to implement for several weeks, if someone wants to take a crack at it, I'll be happy to review the patch.
from sops.
I'm not claiming this yet but to make sure we are on the same page for (2). For a file with some plaintext keys, would we keep the keys the same upon save or strip the _clear
suffix and store it in metadata?
Example with _clear
suffix maintained:
On-disk:
hello:
world_clear: hi
sops:
kms: ...
While editing via sops
:
hello:
world_clear: hi
Example with _clear
suffix stripped:
On-disk:
hello:
world: hi
sops:
clear_keys: ['hello.world']
kms: ...
While editing via sops
:
hello:
world_clear: hi
from sops.
I think we should always keep the _clear
suffix in the keys directly, not in the metadata, to avoid confusing the user.
from sops.
Cool, and are we definitely going with the _clear
suffix or should we use something more canonical like _plaintext
or _plain
?
Also, some people might have an edge case where they need to set a different suffix. Do we want to build a CLI flag and metadata key for that (e.g. --clear-suffix '_unencrypted'
and sops.clear_suffix: _unencrpyted
) or ignore it for now?
from sops.
_unencrypted
is probably a more explicit default.
👍 on the cmdline flag to set the --unencrypted-suffix
and store it in the metadata.
from sops.
Cool, thanks for the quick replies. To reiterate, I haven't yet claimed this issue but I will definitely put it at the top of my queue =) (I will comment if/when I start work on this to prevent duplicate work)
from sops.
I started working on this earlier, got a proof of concept working with tests, and currently iterating on CLI integration.
from sops.
I have opened up a PR to resolve this issue #47
from sops.
Related Issues (20)
- SOPS_AGE_KEY doesn't accept space separated keys HOT 2
- mac m1 Use gcp kms encryption and decryption will crash
- Sops removes quotes from keys in YAML HOT 2
- unable to force specific gpg subkey HOT 1
- [Feature Request] Permit allowlisted unencrypted comments
- encrypted_regex for particular nodes in yaml? HOT 4
- `exec-env` does not work when encrypted file is in a parent directory HOT 3
- `Invalid --set format` error when trying to set deeply nested value HOT 11
- sops keyservice via .sops.yaml HOT 1
- Is it possible to encrypt text strings in Python using sops? HOT 2
- Encrypt dotenv file inplace more than once should be failsafe. HOT 11
- GitHub repository does not link to the project website url HOT 1
- CI: add Rust code formatting check (for functional tests) HOT 1
- Error: Failed to get the data key required to decrypt the SOPS file. HOT 1
- Allow easy embedding of sops inside other Go CLI HOT 2
- Support github id based public key encryption
- Failing age tests after setting SOPS_AGE_KEY_FILE env var
- README.rst is not being rendered due to its size HOT 11
- sops 3.8.1 (latest) encrypted files are not working in kubernetes cluster.
- Use Azure Key Vault login error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops.