[Feature request] Add the ability to specify KMS ARN or PGP FP when using Python API about sops HOT 4 CLOSED

I'd like to understand your use case better here: what are you trying to achieve?

Decrypting a file does not require setting the KMS ARN of the PGP FP, because the encrypted file keeps the information about which keys can decrypt it in the sops metadata at the bottom of the file. Upon decryption, sops tries all the master keys and the first one that is available is used to decrypt the file.

from sops.

@jvehent Ahh, I called out decryption since that on my mind at the time. The use case here is to replicate the functionality of git-crypt, where I can configure a filter in gitattributes and automatically encrypt all files in a directory. I'd like to programmatically specify the KMS ARNs and/or PGP FPs so new files are automatically encrypted with the same keys.

The goal is to reduce the chance of accidental check in of secret data.

from sops.

You can set the KMS ARN and the PGP FPs using command line flags, as follows:

sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/hiera-sops-dev, arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod" \
--pgp 6F73539153B31C193A2154EAF7A9B793541A953D \
/path/to/my/file

The syntax of the --kms and --pgp flags is identical to the environment variables.

Does that solve your issue?

from sops.

Does that solve your issue?

Yes, this should be fine. Thank you!

from sops.