Sops-nix: secrets management

Mic92 · July 23, 2020, 12:26pm

I built a atomic secret provisioning system for NixOS based on sops called sops-nix. It works well for me and now I am looking for others to test it. If you find any bugs in the code or the documentation feel free to open a PR or issue.

manveru · July 23, 2020, 1:19pm

This looks fantastic, are you planning to support KMS/Hashicorp Vault anytime soon as well?

Mic92 · July 23, 2020, 1:23pm

My priorities right now are as follow:

Systemd support: A diff engine to restart systemd services if secrets changed
Hashicorp Vault support (It will provide the key for decrypting, not the secrets itself)
Other KMS services: Someone provided me access to google GCP and I also got access sponsored for Azure. I have no access to AWS yet.

manveru · July 23, 2020, 2:26pm

I think I can get you access to AWS or sponsor some of that work, but I’m also OK hacking on it myself. I think it should be pretty similar to azure/gcp anyway.

Mic92 · July 23, 2020, 2:29pm

You can also add it yourself, but I might add you as a tester in future

lewo · July 23, 2020, 4:14pm

For AWS, you could try something such as GitHub - nsmithuk/local-kms: A mock version of AWS' Key Management Service, for local development and testing. which would also have the benefit to work in a CI.

Mic92 · July 23, 2020, 4:31pm

That’s nice. I will use that although at some point I want to have it tested on the actual thing to make sure it works.

manveru · July 24, 2020, 12:43am

For AWS the combination of IAM & KMS the solution is relatively straightforward.
You can have a profile on your deployer in ~/.aws/credentials and set the region for the profile in ~/.aws/config.
The profile also need to have an associated IAM policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:<region>:<org>:key/<key>"
        }
    ]
}

After that you can use the ARN of the KMS key to do sops --encrypt --kms arn:aws:kms:<region>:<org>:key/<key> or sops --decrypt.

The machines you deploy need a similar IAM policy, though they may be restricted to decrypt only. SOPS will automatically check the instance meta-data for the instance identity and use it to decrypt, so you don’t have to have any secrets on the machine itself.

So pretty much all I need from sops-nix is the ability to skip specifying anything GPG related, and the rest should just work.

Mic92 · July 24, 2020, 6:26am

Right now it requires either ssh keys or gnupg keys to be set. You can make a PR introduces some aws option or so. Either way some documentation would be nice how IAM policies should look like so someone else can replicate the setup.