Last active
          April 13, 2025 13:20 
        
      - 
      
- 
        Save osher/d49decfd7ae480a1a60bd88a01066a0a to your computer and use it in GitHub Desktop. 
    The simplest sops demo - sops using age encryption
  
        
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # This demo uses an alpine sandbox in a docker container in | |
| # interactive mode. ran with: | |
| # docker run --rm -it alpine | |
| # | |
| # if you run it on your own system: | |
| # 1. you should use your own package manager instead of `apk` | |
| # 2. expect the following left overs: | |
| # - installed binaries (age, age-keygen, sops) | |
| # - $HOME/.config/sops/age/keys.txt | |
| # - demo files: source.env, encrypted.env, decrypted.env | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # A R R A N G E | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| echo " | |
| 1. Installing packages: age"; | |
| #------------------------------------------------------------ | |
| apk add age; | |
| #------------------------------------------------------------ | |
| echo " | |
| 2. Installing sops binary and make it runnable"; | |
| #------------------------------------------------------------ | |
| wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux -O /usr/bin/sops && chmod +x /usr/bin/sops; | |
| #------------------------------------------------------------ | |
| echo " | |
| 3. create age encryption key, | |
| and extract the public key as AGE_PUB_KEY"; | |
| #------------------------------------------------------------ | |
| mkdir -p $HOME/.config/sops/age/; | |
| age-keygen > $HOME/.config/sops/age/keys.txt; | |
| chmod 400 $HOME/.config/sops/age/keys.txt; | |
| AGE_PUB_KEY=$(grep 'public key' $HOME/.config/sops/age/keys.txt | cut -d' ' -f 4); | |
| #------------------------------------------------------------ | |
| echo " | |
| 4. create a demo .env file"; | |
| # NOTE: it works with yaml, json, ini, and more | |
| # (it relays on file suffix, | |
| # but you can specify it explicitly using --input-type) | |
| #------------------------------------------------------------ | |
| cat << EOF > source.env | |
| USERNAME=the-user | |
| PASSWORD=the-password<shhhh!!!!!> | |
| EOF | |
| #------------------------------------------------------------ | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # A C T | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| echo " | |
| 5. use sops to encrypt 'source.env' with Age, | |
| show the encrypted output on screen | |
| and save it as 'encrypted.env'"; | |
| #------------------------------------------------------------ | |
| sops -e -age $AGE_PUB_KEY source.env | tee encrypted.env; | |
| #------------------------------------------------------------ | |
| echo " | |
| 6. use sops to decrypt | |
| to compare the result with 'source.env'"; | |
| #------------------------------------------------------------ | |
| sops -d encrypted.env > decrypted.env; | |
| #------------------------------------------------------------ | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # A S S E R T | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| echo " | |
| 7. 'decrypted.env should be identical to 'source.env'"; | |
| #------------------------------------------------------------ | |
| if diff source.env decrypted.env; then | |
| echo " | |
| SUCCESS :) | |
| "; | |
| else | |
| echo " | |
| Test failed :o | |
| "; | |
| exit 1; | |
| fi; | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # NOTE: | |
| # now that your keys are set and you have an encrypted file, | |
| # you call: | |
| # sops encrypted.env | |
| # this will open it in your default editor. | |
| # if you make changes - it will save your edits after encrypting the values | |
| # (after which the `diff` above will no longer work - it updates only the encrypted file) | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment