docs: Add example for dealing with compromised key#34
Conversation
The order of operations in this scenario is very specific and error-prone. It would make sense to document this right here in this project. Signed-off-by: fhoekstra <32362869+fhoekstra@users.noreply.github.com>
✅ Deploy Preview for getsops ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: fhoekstra <32362869+fhoekstra@users.noreply.github.com>
felixfontein
left a comment
felixfontein
left a comment
There was a problem hiding this comment.
Thanks for your contribution! I think it is a great idea to have a section on this in the docs. I've added two comments below, which are my personal ones; maybe someone else from @getsops/maintainers might want to comment on them?
Also note that currently there's a large reorganization happening (#31) which conflicts with tihs PR (and in fact with any other PR changing the documentation). I don't know how long it will take @getsops/maintainers to review that PR, so whether it makes sense to merge this one first and rebase the other, or the other way around.
| sops rotate --in-place secret.sops.yaml | ||
| ``` | ||
|
|
||
| This ensures that *first* the compromised key is removed from the list of keys that has access to the per-file data key, and only *then* rotates the data key. If done in the wrong order, the data key is encrypted with a key that the compromised key still has access to. |
There was a problem hiding this comment.
While it is generally better to schedule the operations this way, doing it the other way is only a problem in two specific situations:
secret.sops.yamlfile is checked in between the twosopscalls above;- alternatively, the compromised key is with a cloud provider (AWS, Azure, GCP, HWC, Vault) which is compromised itself, so that the call to encrypt the document key actually stores that document key.
I'm not sure whether this should be mentioned, but it probably makes sense to mention that the resulting file should be checked in after performing the two above steps.
There was a problem hiding this comment.
Thanks for the feedback! I've added a line about committing and pushing the file after this.
I was thinking of the file getting checked in between those actions (and assuming a public repo etc), I have changed the wording to be more nuanced and added your comment as a footnote
Co-authored-by: Felix Fontein <felix@fontein.de> Signed-off-by: fhoekstra <32362869+fhoekstra@users.noreply.github.com>
…rs and clarify checking in of the updated file. Signed-off-by: fhoekstra <32362869+fhoekstra@users.noreply.github.com>
I am interested in this subject right now because of the move to post-quantum encryption. Currently waiting for FluxCD 2.9 to be released, and then a lot of Kubernetes users of SOPS will be looking at moving to post-quantum. I'm looking to do a simple how-to blog post on it either way, it would be nice if I could point at the official documentation for this process. But I understand there's "always something" and I wouldn't want to slow down the docs improvement project. |
Signed-off-by: fhoekstra <32362869+fhoekstra@users.noreply.github.com>
2 participants
The order of operations in this scenario is very specific and error-prone. It would make sense to document this right here in this project.
I would appreciate any feedback and/or corrections!