Evaluate SOPS to encrypt Ansible variables

[ricsanfre]

Evaluate Mozilla SOPS as an alternative to ansible-vault when encrypting vault.yml file

Instead of using ansible-vault, use SOPS to only encrypt the variables values contained in vault.yml file and not the whole content.

Ansible provides support to encrypt and decrypt using SOPS within paybooks (Ansible communiy SOPS collection)

References

• SOPS
• [SOPS Comprehensive guide] (https://www.google.com/amp/s/blog.gitguardian.com/a-comprehensive-guide-to-sops/amp/)
• Ansible Community SOPS collection

[ricsanfre]

Testing SOPS

Installing SOPS

• Step 1: Install sops from binary

  wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64
  sudo chmod +x sops-v3.7.3.linux.amd64
  sudo cp sops-v3.7.3.linux.amd64 /usr/local/bin

• Step 2: Extract gpg key

  gpg --list-secret-keys <user>

  Get gpg key fingerprint from "sec" part

• Step 3: Create .sops.yaml in $HOME directory

  creation_rules:
      - pgp: >-
           <gpg-key-fingerprint>

Encrypting a yaml file

• Step1: Edit a file using sops

  sops tets.yaml

  add the following content to the file

  vault:
    app:
      admin:
        user: usuario1
        password: password1

  After saving the file the following warning is showed

  [PGP]    WARN[0000] Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.

• Step 2: Edit file with vi

  File looks like this:

  vault:
      app:
          admin:
              user: ENC[AES256_GCM,data:A5lF9wbszbw=,iv:zHR2doM1P6vVKC2aPCthq5eBW9o01N6mjfc9DjJuXjo=,tag:IarHtdYUXYUtga16tSodcA==,type:str]
              password: ENC[AES256_GCM,data:VTU8g4msh98i,iv:kMt5OJkuJ/tvO6Pmpu1znmCOXjCaokXwLywmssDz5d4=,tag:ps2FFHdu5CHE2CHDVQiQhQ==,type:str]
  sops:
      kms: []
      gcp_kms: []
      azure_kv: []
      hc_vault: []
      age: []
      lastmodified: "2023-02-01T16:11:44Z"
      mac: ENC[AES256_GCM,data:awV2gGIVlbS4t86pKH0lzXEbpcRSlOzzqjqhhHDk14qwrrJBookqfZmI/xOtFIGDqB3nMxb/SvAxaprNzcXlOFi1cAPO91qj7rBh+xFy5A6a7uUb/qHPbMiE/u9oazSjXaeuRFGiLuNsPa8UyMXeq/kH1FHOcuY/0Z8RT2bLHIA=,iv:cqEN7NzfkMLMI2k05uRnmbftgE5ns04OfGo893h3Vps=,tag:9Ade+xQ5xrdKtV4PWuHHsw==,type:str]
      pgp:
          - created_at: "2023-02-01T16:06:50Z"
            enc: |
              -----BEGIN PGP MESSAGE-----
  
              hQGMA43TzuNmqDHYAQv8DTpNCcgJPTubgPf6iX/pwCGrMJOZqMlB56m8AulvOjdQ
              FNpiEzsvvfHMfn1chOdAPTv4lW0qb5pIvPE7PzKq4zf8S1BqdlaCaohLlS1ChkDj
              AzqTXqEkDdYuimSKRjs7sMz2jG9G5dmfrV/ckGNHf3iDNWA3ZGs97ALn7SbIRR3J
              EkA3F93yqyTz01+0Plt7GjstSzasp06xHRoHBhIyHguyzHeA0pRy1IaqOPRLjlnr
              /RrqOT/4rE+x50+/IqQ3df4NWz8ag1792j8D05ym7Hxpnke89YAzBAmPah76n1Hg
              NCqeshgI+3fDyB2K1SQ71hnangSq8k5pBgE/SovjbRbHWacUtrUwvmHJ2GEOgFgJ
              fmKzkFE/Od5NvRAFFq8ZzocU0lycYUNKZd8btFmRIoCMYFXc78iPVWXw1rcvfep5
              e1U9LYhTa0+nevokEB7f7Lp8kEbM29ozhgcs06GIjzVesze6LjDe//6mFSg3zglq
              IpFD+moH0nYKmp8IymwZ0l4BiuodvS9lAgHOIu3xDaecCoxWGzRCZeBzG/+0nQOm
              3lG3l8hXJfFqlbyCk7bZdJLSRTk0wI8c+RsIkPOyEXH+OjiVuSvRioAQJHidLd4p
              xnI+rpF1pkzdO6sRAKsx
              =NXog
              -----END PGP MESSAGE-----
            fp: 6DF60CF66A196DE1F58BDCA074A39198228337DC
      unencrypted_suffix: _unencrypted
      version: 3.7.3

Conclusion

• SOPS is able to encrypt only the values within the dictionary and not the keys which is the desired behavior for encrypting vault.yml file

• SOPS use 4-spaces indentation which is not what YAML specifies (only 2-spaces indentation is required). This is not a desired behavior.

  • There is an open issue to try to fix this behaviour: Configurable indentation for yaml output in .sops.yaml getsops/sops#900
  • Yamllint check will fails trying to validate this yaml encrypted file

• PGP encryption is going to be deprecated in favour of age (gpg.mozilla.org is broken (probably for good) getsops/sops#727)