# This demo uses an alpine sandbox in a docker container in # interactive mode. ran with: # docker run --rm -it alpine # # if you run it on your own system: # 1. you should use your own package manager instead of `apk` # 2. expect the following left overs: # - installed binaries (age, age-keygen, sops) # - $HOME/.config/sops/age/keys.txt # - demo files: source.env, encrypted.env, decrypted.env # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # A R R A N G E # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - echo " 1. Installing packages: age"; #------------------------------------------------------------ apk add age; #------------------------------------------------------------ echo " 2. Installing sops binary and make it runnable"; #------------------------------------------------------------ wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux -O /usr/bin/sops && chmod +x /usr/bin/sops; #------------------------------------------------------------ echo " 3. create age encryption key, and extract the public key as AGE_PUB_KEY"; #------------------------------------------------------------ mkdir -p $HOME/.config/sops/age/; age-keygen > $HOME/.config/sops/age/keys.txt; chmod 400 $HOME/.config/sops/age/keys.txt; AGE_PUB_KEY=$(grep 'public key' $HOME/.config/sops/age/keys.txt | cut -d' ' -f 4); #------------------------------------------------------------ echo " 4. create a demo .env file"; # NOTE: it works with yaml, json, ini, and more # (it relays on file suffix, # but you can specify it explicitly using --input-type) #------------------------------------------------------------ cat << EOF > source.env USERNAME=the-user PASSWORD=the-password EOF #------------------------------------------------------------ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # A C T # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - echo " 5. use sops to encrypt 'source.env' with Age, show the encrypted output on screen and save it as 'encrypted.env'"; #------------------------------------------------------------ sops -e -age $AGE_PUB_KEY source.env | tee encrypted.env; #------------------------------------------------------------ echo " 6. use sops to decrypt to compare the result with 'source.env'"; #------------------------------------------------------------ sops -d encrypted.env > decrypted.env; #------------------------------------------------------------ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # A S S E R T # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - echo " 7. 'decrypted.env should be identical to 'source.env'"; #------------------------------------------------------------ if diff source.env decrypted.env; then echo " SUCCESS :) "; else echo " Test failed :o "; exit 1; fi; # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # NOTE: # now that your keys are set and you have an encrypted file, # you call: # sops encrypted.env # this will open it in your default editor. # if you make changes - it will save your edits after encrypting the values # (after which the `diff` above will no longer work - it updates only the encrypted file)