Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

Показать описание

Committing secrets to your Git Repo can expose information like passwords, access tokens, and other types of sensitive information. Some might think that committing secrets to a private Git Repo is OK, but I am here to tell you it's not. If you're going to commit secrets to a git repo, private or public, you should encrypt them first using Mozilla SOPS (Secret Operations) and AGE. SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. Age is a simple, modern and secure file encryption tool, format, and built using Go. It can encrypt and decrypt your files making then safe enough to commit to your Git repos!

A HUGE thanks to Datree for sponsoring this video!
Combat misconfigurations. Empower engineers.

(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)

00:00 - Are Private repos safe to commit secrets?
01:02 - What is Mozilla Sops and Age
01:58 - Ad: Datree - Prevent Kubernetes Misconfigurations
03:18 - Getting Started with SOPS
04:26 - Getting Started with Age Encryption
05:32 - Creating an Encryption Key Pair
07:43 - Encrypting and Decrypting YAML (.yml / .yaml)
12:59 - Encrypting and Decrypting Kubernetes Secrets
14:35 - VSCode SOPS Extension
17:05 - Encrypting and Decrypting ENV (dotenv / .env)
19:35 - Encrypting and Decrypting JSON (.json)
20:54 - Encrypting and Decrypting INI (.ini)
22:14 - Encrypting and Decrypting ANY File
24:01 - I Love Encrypting Now That I Know How!
24:39 - Stream Highlight - "105 Days of HomeLab"

Music By Harris Heller

Some video clips are licensed under Creative Commons license.
Videos clips are from Yaroslav Shuraev, Mikhail Nilov, Matthew Lee Moore, KoolShooters, Tima Miroshnichenko

Thank you for watching!

Рекомендации по теме

Комментарии

This couldn't have been timed better. Having worked through a number of your other video walkthroughs, I had built up a codebase I didn't want to risk losing, but knew I couldn't commit yet because of the secrets throughout. I'd set aside this weekend to fix that problem and was looking at SOPS to do so. Thanks for being psychic (and helpful)!

TikariChess

A couple words of advice for further securing your secrets:
1. You need a safeguard mechanism to verify that an unencrypted file is not committed to the repo
2. VSCode extensions can be a security threat - the marketplace doesn't really validate the extensions and it allows duplicate names for extensions which allows impersonating a known extension. A scenario could occur where the extension decrypts the secrets and sends them over the net to an attacker.

dudicohen

This is a big uplift in security maturity. Brilliant tutorial!

TimSumpton

I already knew about SOPS but this VSCode extension is awesome

mauridocarmo

Thanks for pmo, and will try this out! I’ve only discovered your channel a little bit ago but after checking out a lot of your vids, I really want to say I love your content. Concise, technical, and fun (for me at least😅). It’s nice to see content creators I can resonate with.

levybuildz

This is very topical and I will absolutely want to cover this again and in the next version of 90DaysOfDevOps

DaysOfDevOps

Why should PGP/GPG be deprecated for file encryption? Awesome video as usual

Pariah

I use intellij and there is also a plugin for it. You video saved me a lot of time, thank you :)

f.

Ansible vault, since I deploy my containers from ansible.

PierricDescamps

Pitty that you don't show the flux extension, it's not that complicated, maybe in next video? 😉 Thumbs up for the vscode extension, works nicely.
Btw you can have sops config file in the folder with publickey and regex so that you don't have to type all that in the command, simple sops -e <filename> will do.
Thanks for the video and maybe think in the next one on key retention too, should be interesting topic to cover.

Spuny

Wrong in 14:12. When decrypting it's already looking for SOPS_AGE_KEY_FILE variable to look for private key so you don't need to pass like that --age $(....)

est

Thanks for sharing all the details, exactly what I was looking for.
Seems the signageos is working fine now (official version). You can also create a .sopsrc on your project with some config

lfnkf

Can you do a tutorial on ovs in proxmox?

koevoet

excellent video!! You could even make all those many commands into either a group of shell scripts, or aliases for simplicity in ease of having to go find it for copy paste when needed...if you chose to use the CLI method over a vscode extension.

ThePC_Geek

Love your show. It is easier to consume your content when you switch between you, full-screen and the code you are demonstrating. The mini you in the video actually is a little distracting. I don't make videos yet. but creator to creator. I write blogs and code. Your videos are nice and complete. Not ever left hanging to make a big brain moment happen.

WHAT-GRINDS-MY-GEARS

It is also a good idea to implement a small cli that automatically takes your .yaml from the secret and encrypts it and puts it in the desired 'secrets' folder... and flux do the magic!

Lst

"If you have one problem and you solve it with regex, now you have two problems."
Bwahahah!! Love it. I love regex, but yeah.

hsteckylf

Mozilla SOPS seems to be a dying project. They currently have no active maintainer but lot's of CVEs :(

DrSarez

i currently use an encrypted folder in some of my cloud folders. i do hope that the encryption let the bad guys get some delay a little bit

nmadfernan

Philosophical question.

If a complex username matches (equivalent to) a public key
and a private key matches (equivalent to) an equivalent complex password
How are these things different? Why is a key-pair better?

compB

Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

Encrypt Your Sensitive Information Before Storing It - Encrypting with Mozilla SOPS and AGE

How to Encrypt Sensitive Data on Your Computer [easy]

# How to Encrypt Your Sensitive Data.

Encryption For Your Sensitive Documents

The Easiest Way To Encrypt Your Files (Before Uploading To The Cloud)

How Encryption Works - and How It Can Be Bypassed

1.2 Why we should encrypt our sensitive data - encryption simply explained.

4 Proven Open-Source File Encryption Tools ANYONE Should Use!

Cybersecurity becoming more important by the day

Encrypted Data Storage with Anvil

No, You Don’t have to Encrypt Passwords before sending POST requests and here is why

#ITHelpDesk #Shorts Encrypt Sensitive Information #Cybersecurity

Cybersecurity Expert Demonstrates How Hackers Easily Gain Access To Sensitive Information

Encrypt and Decrypt Important Sensitive Data and Important Files in Simple Steps - Very Helpful

Protect Your Sensitive Data: Encrypt Your Tax Documents

Hide Your Secrets FOREVER! - Erasing Data Securely

Password Vault - how-to. Encrypt your sensitive info.

Microsoft 365 Outlook Encrypted Email Demo

How To Send Encrypted Email in Gmail

How to Secure Files and Folders in Windows 10 with Encryption

🔑Why Encryption Matters: A Quick Guide | #networkershome

Paidant Data Encryption Methods: Essential for Protecting Your Sensitive Information #businessowner

iOS 16.3 Security Settings “ENCRYPT iCLOUD DATA” in Hindi (Part 2) #shorts

How Data Encryption keeps the information Safe in the Cloud