SOPS¶

Imported from Confluence

Content may be outdated. Verify before following any procedures. View original | Last updated: January 2023

We are using SOPS for encryption of sensitive data at Helm and Terraform. Details and installation notes - sops (Github)

SOPS is using GCP KMS to encrypt data.

Each of GCP projects should has it's own KMS key for encryption.

Below is instruction how to create new key for the project (you can do it only if you have needed permissions, in most cases only devops team has it)

gcloud kms keyrings create sops --location global

gcloud kms keys create gke_offerwall_dev_us-east1 --location global --keyring sops --purpose encryption

gcloud kms keys list --location global --keyring sops --project agp-offerwall-dev-67
NAME                                                                                               PURPOSE          ALGORITHM                    PROTECTION_LEVEL  LABELS  PRIMARY_ID  PRIMARY_STATE
projects/agp-offerwall-dev-67/locations/global/keyRings/sops/cryptoKeys/gke_offerwall_dev_useast1  ENCRYPT_DECRYPT  GOOGLE_SYMMETRIC_ENCRYPTION  SOFTWARE                  1           ENABLED

Usage¶

Encrypt data¶

sops -i -e --gcp-kms projects/agp-offerwall-dev-67/locations/global/keyRings/sops/cryptoKeys/gke_offerwall_dev_useast1 secrets.yaml

Decrypt data¶

sops -i -d --gcp-kms projects/agp-offerwall-dev-67/locations/global/keyRings/sops/cryptoKeys/gke_offerwall_dev_useast1 secrets.yaml