Sops-nix: secrets management

I built a atomic secret provisioning system for NixOS based on sops called sops-nix. It works well for me and now I am looking for others to test it. If you find any bugs in the code or the documentation feel free to open a PR or issue.

14 Likes

This looks fantastic, are you planning to support KMS/Hashicorp Vault anytime soon as well?

My priorities right now are as follow:

  1. Systemd support: A diff engine to restart systemd services if secrets changed
  2. Hashicorp Vault support (It will provide the key for decrypting, not the secrets itself)
  3. Other KMS services: Someone provided me access to google GCP and I also got access sponsored for Azure. I have no access to AWS yet.

I think I can get you access to AWS or sponsor some of that work, but I’m also OK hacking on it myself. I think it should be pretty similar to azure/gcp anyway.

You can also add it yourself, but I might add you as a tester in future :slight_smile:

For AWS, you could try something such as https://github.com/nsmithuk/local-kms which would also have the benefit to work in a CI.

1 Like

That’s nice. I will use that although at some point I want to have it tested on the actual thing to make sure it works.

For AWS the combination of IAM & KMS the solution is relatively straightforward.
You can have a profile on your deployer in ~/.aws/credentials and set the region for the profile in ~/.aws/config.
The profile also need to have an associated IAM policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:<region>:<org>:key/<key>"
        }
    ]
}

After that you can use the ARN of the KMS key to do sops --encrypt --kms arn:aws:kms:<region>:<org>:key/<key> or sops --decrypt.

The machines you deploy need a similar IAM policy, though they may be restricted to decrypt only. SOPS will automatically check the instance meta-data for the instance identity and use it to decrypt, so you don’t have to have any secrets on the machine itself.

So pretty much all I need from sops-nix is the ability to skip specifying anything GPG related, and the rest should just work.

Right now it requires either ssh keys or gnupg keys to be set. You can make a PR introduces some aws option or so. Either way some documentation would be nice how IAM policies should look like so someone else can replicate the setup.