
Sops – An editor of encrypted files using AWS KMS and PGP - 0xmohit
https://github.com/mozilla/sops
======
jamiesonbecker
FWIW, KMS can get expensive if you're (for example) using transparent S3
encryption. Once you enable that (which is actually of dubious security value
anyway), every S3 operation involves a KMS operation, which can get
surprisingly substantial pretty fast. (I'm not making any comment on Sops per
se - just saying to be careful around KMS,and thus Sops, for high-volume
requirements.)

~~~
not_kurt_godel
> (which is actually of dubious security value anyway)

FYI the value isn't necessarily in stopping AWS from maliciously reading your
data if they wanted to (though it does make that slightly more difficult too),
it's knowing that your data can't be easily recovered by someone who has
access to the physical hard drives it's stored on. A typical scenario would be
someone who knows where old drives are disposed of once they leave the data
center - presumably AWS takes measures to wipe/destroy such drives, but
knowing that the underlying data is encrypted at rest is extra assurance.
There's also value for people whose compliance requirements dictate data is
encrypted at rest regardless of cost and whether it actually makes sense to
do.

~~~
jamiesonbecker
FYI :) see [https://d0.awsstatic.com/whitepapers/aws-security-
whitepaper...](https://d0.awsstatic.com/whitepapers/aws-security-
whitepaper.pdf) for information on the DoD/NIST protocols used to destroy the
drives.

------
personalreality
I've been using SOPS daily for more than a year (before the rewrite from
python into golang) and it works pretty well. It supports GPG for onprem
installs and KMS for AWS. Its main supported filetypes are YAML and JSON files
but I've used it with pretty much everything. The main benefit I've seen over
other solutions is the ability to check my secrets into git knowing that they
are encrypted. This means you can version your secrets while knowing that if
your repo accidentally becomes public you won't suddenly end up with
compromised servers. Usually for auth hosted services you still have to
problem of how do you get the secrets into there in the first place through
100% automation.

------
ro-laren
Very cool! It would be helpful to have a bit more description around how this
works, especially for technical folks (like me) who have a working knowledge
of encryption techniques, but lack deep knowledge in the field. I often think
that half of the battle with security practice adoption is education- the
easier something is to understand, the less friction to implement.

~~~
0xmohit
Some features from the examples [0]:

\- Creating a new file

\- Encrypting an existing file

\- Encrypt or decrypt a file in place

\- Encrypting binary files

In-place encryption/decryption is a pretty useful feature, IMO.

[0]
[https://github.com/mozilla/sops#id22](https://github.com/mozilla/sops#id22)

------
nodefortytwo
We have been using Sops for a few months, it's pretty impressive really.

reading your Sops config during githooks allows you to ensure everything is
encrypted before commit.

The only downside I have come across is that if you accidentally encrypt a
file twice you essentially lose the data. obviously, this is user error but
some additional protections around this would be good.

~~~
koblas
We've been using sops for about a year and it's a great solution to the
startup problem of having secrets but needing to store them somewhere. The
other options all involve additional infrastructure, while this just uses AWS
infrastructure at the free level.

~~~
danenania
For a 1Password-like hosted service that also requires no additional
infrastructure, check out EnvKey -
[https://www.envkey.com](https://www.envkey.com)

It handles encryption keys completely behind the scenes, is trivial to
integrate, and provides a UI to easily manage multiple environments and access
levels in one place.

There will, of course, always be a role for more DIY solutions like sops, but
if your goal is to have configuration/secrets secure, organized, and available
to developers and servers in as little time as possible, you may find EnvKey
interesting.

~~~
jlgaddis
(Full disclosure: danenania is the founder of EnvKey, as mentioned in his/her
profile.)

~~~
danenania
Indeed - sorry to leave that out!

------
zxd1098
What actually keeps your keys secure from AWS if you use KMS? That’s my
problem with it.

~~~
autrilla
If you care about this, you can use Shamir Secret Sharing to require two (or
more) keys to recover the encrypted file. So even if AWS was malicious, they
still wouldn't be able to get the file without your other key (presumably a
GPG or GCP KMS key)

------
yyzhero
Is this using homomorphic encryption ?

