Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Sops – An editor of encrypted files using AWS KMS and PGP (github.com/mozilla)
55 points by 0xmohit on Jan 14, 2018 | hide | past | favorite | 15 comments


FWIW, KMS can get expensive if you're (for example) using transparent S3 encryption. Once you enable that (which is actually of dubious security value anyway), every S3 operation involves a KMS operation, which can get surprisingly substantial pretty fast. (I'm not making any comment on Sops per se - just saying to be careful around KMS,and thus Sops, for high-volume requirements.)


> (which is actually of dubious security value anyway)

FYI the value isn't necessarily in stopping AWS from maliciously reading your data if they wanted to (though it does make that slightly more difficult too), it's knowing that your data can't be easily recovered by someone who has access to the physical hard drives it's stored on. A typical scenario would be someone who knows where old drives are disposed of once they leave the data center - presumably AWS takes measures to wipe/destroy such drives, but knowing that the underlying data is encrypted at rest is extra assurance. There's also value for people whose compliance requirements dictate data is encrypted at rest regardless of cost and whether it actually makes sense to do.


FYI :) see https://d0.awsstatic.com/whitepapers/aws-security-whitepaper... for information on the DoD/NIST protocols used to destroy the drives.


I've been using SOPS daily for more than a year (before the rewrite from python into golang) and it works pretty well. It supports GPG for onprem installs and KMS for AWS. Its main supported filetypes are YAML and JSON files but I've used it with pretty much everything. The main benefit I've seen over other solutions is the ability to check my secrets into git knowing that they are encrypted. This means you can version your secrets while knowing that if your repo accidentally becomes public you won't suddenly end up with compromised servers. Usually for auth hosted services you still have to problem of how do you get the secrets into there in the first place through 100% automation.


We have been using Sops for a few months, it's pretty impressive really.

reading your Sops config during githooks allows you to ensure everything is encrypted before commit.

The only downside I have come across is that if you accidentally encrypt a file twice you essentially lose the data. obviously, this is user error but some additional protections around this would be good.


We've been using sops for about a year and it's a great solution to the startup problem of having secrets but needing to store them somewhere. The other options all involve additional infrastructure, while this just uses AWS infrastructure at the free level.


For a 1Password-like hosted service that also requires no additional infrastructure, check out EnvKey - https://www.envkey.com

It handles encryption keys completely behind the scenes, is trivial to integrate, and provides a UI to easily manage multiple environments and access levels in one place.

There will, of course, always be a role for more DIY solutions like sops, but if your goal is to have configuration/secrets secure, organized, and available to developers and servers in as little time as possible, you may find EnvKey interesting.


(Full disclosure: danenania is the founder of EnvKey, as mentioned in his/her profile.)


Indeed - sorry to leave that out!


had the same issues and now i always either check for the sops encryption keys with a sops wrapper script before encryption or decrypt to a git-ignored temp file that is immediately deleted after use.


Very cool! It would be helpful to have a bit more description around how this works, especially for technical folks (like me) who have a working knowledge of encryption techniques, but lack deep knowledge in the field. I often think that half of the battle with security practice adoption is education- the easier something is to understand, the less friction to implement.


Some features from the examples [0]:

- Creating a new file

- Encrypting an existing file

- Encrypt or decrypt a file in place

- Encrypting binary files

In-place encryption/decryption is a pretty useful feature, IMO.

[0] https://github.com/mozilla/sops#id22


What actually keeps your keys secure from AWS if you use KMS? That’s my problem with it.


If you care about this, you can use Shamir Secret Sharing to require two (or more) keys to recover the encrypted file. So even if AWS was malicious, they still wouldn't be able to get the file without your other key (presumably a GPG or GCP KMS key)


Is this using homomorphic encryption ?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: