Comments (4)
I'd like to understand your use case better here: what are you trying to achieve?
Decrypting a file does not require setting the KMS ARN of the PGP FP, because the encrypted file keeps the information about which keys can decrypt it in the sops
metadata at the bottom of the file. Upon decryption, sops tries all the master keys and the first one that is available is used to decrypt the file.
from sops.
@jvehent Ahh, I called out decryption since that on my mind at the time. The use case here is to replicate the functionality of git-crypt, where I can configure a filter in gitattributes and automatically encrypt all files in a directory. I'd like to programmatically specify the KMS ARNs and/or PGP FPs so new files are automatically encrypted with the same keys.
The goal is to reduce the chance of accidental check in of secret data.
from sops.
You can set the KMS ARN and the PGP FPs using command line flags, as follows:
sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/hiera-sops-dev, arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod" \
--pgp 6F73539153B31C193A2154EAF7A9B793541A953D \
/path/to/my/file
The syntax of the --kms
and --pgp
flags is identical to the environment variables.
Does that solve your issue?
from sops.
Does that solve your issue?
Yes, this should be fine. Thank you!
from sops.
Related Issues (20)
- How does one use `decrypt.File` provided by the mozilla sops decrypt go module HOT 4
- Add Support for HashiCorp Vault Namespace in Secret's Metadata
- Elements in encrypted yaml are not ordered alphabetically HOT 8
- sops command doesn't read --aws-profile flag value
- sops encryption/decryption with age key doesn't work for Python ini Files with [DEFAULT] section HOT 4
- New patch version please HOT 2
- Main project page getsops/sops never loads because of README rendering issue HOT 3
- hc-vault: Support for kubernetes auth HOT 1
- Support encryption with x.509 cert in win certmgr
- Allow to encrypt specific nodes in a file with specific keys (muliple matching creation_rules) HOT 3
- Different AWS profiles are ignored when using multiple KMS keys
- exec-env/exec-file: support "--" to separate command to run HOT 2
- Can't use docker compose and sops together HOT 3
- `sops execfile` filename should not have a random suffix appended in --no-fifo mode HOT 2
- diff shows entire file has changed HOT 1
- [question] Where is the documentation? HOT 2
- ForbiddenByRbac when using azure key vault backend with version 3.8+
- "$" in code examples in Readme prevents simple copy/paste HOT 1
- When we encrypt our values it updates all variables HOT 1
- Decrypt doesn't handle multiple files / bulk operations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops.