4

I'm using Mozilla SOPS to encrypt secrets, the results of which are committed to a git repo shared by the other members of a project. When using SOPS for personal projects, I am using age to encrypt/decrypt the contents of my SOPS files; if I have a file called my-secrets.sops.yaml and I want to add a new key/value pair to it, my normal workflow is:

  1. Run sops -d -i my-secrets.sops.yaml to decrypt the file in-place so that the values are plaintext.
  2. Add new_secret: "ThisIsASecret" to the file.
  3. Run sops -e -i my-secrets.sops.yaml to encrypt the file in-place.
  4. Commit the changes to git.

This works for my personal projects because I generate the age secret and public keys myself, so I have access to both. I am aware that only the age public key is required to encrypt, but the secret key is required in order to decrypt.

Now here's my question: if I want to add a key/value pair (or update an existing value) in an existing SOPS file that already contains encrypted values, do I need the ability to decrypt the file first? I know that I could create a brand new file and just encrypt that, but that seems messy, especially in a collaborative environment.

In short: is it possible to add a new value to a YAML file that has been encrypted with SOPS with only the public key available (i.e. without decrypting)?


For context, a bit of background info on my use-case: this project uses Terraform to manage infrastructure, and secrets are kept in a SOPS-encrypted file located in the terraform project directory (for those interested, I'm using this provider to do stuff with the secret values). Our CI environment runs terraform, and has access to the age private key so that Terraform can (e.g.) set the password on database resources, etc. I want to make it so that developers can add new secrets, but cannot decrypt the secrets once they have been added.

torek
  • 448,244
  • 59
  • 642
  • 775
Tyler
  • 51
  • 4
  • 2
    I haven't used SOPS specifically and it might have some sort of special feature that changes the answer, but the general answer is no: most encryption schemes disallow this kind of behavior as it leads to specific forms of attack weakness. – torek Oct 18 '22 at 00:09
  • 1
    @torek Interesting! Would you mind sharing any links or examples for learning more about that? Since SOPS-encrypted files keep their structure transparent (e.g. for YAML files, only the values are encrypted) I figured this wouldn't be much different than having something like a directory where each file (the key) is an independently-encrypted secret (the value), which doesn't seem like it would be considered a vulnerability. – Tyler Oct 19 '22 at 21:49
  • Aha: if SOPS keeps the *keys* unencrypted, it's definitely designed with a weaker security model. (Note that just knowing what keys go with key-value pairs is a form of information leakage, which is why a more general crypto system wouldn't do that.) That weaker model *could* allow for this kind of update. Whether it does, well, that depends on the SOPS system. – torek Oct 19 '22 at 23:33

1 Answers1

0

You can use sops --set '["foo"]["bar"] "test"' ./test.enc.yaml to set or update just the foo.bar value without decrypting or altering the other entries. This means that with PGP you can use the public key to set a new value without having access to the private values

David Burton
  • 1,130
  • 10
  • 12