Last active
January 26, 2025 07:52
-
-
Save twolfson/01d515258eef8bdbda4f to your computer and use it in GitHub Desktop.
Revisions
-
twolfson revised this gist
Feb 1, 2016 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,13 +62,13 @@ Now that we have SOPS installed, let’s set it up in our repo: - This effectively makes the password useless since we are more concerned about compromising our secrets than the RSA key 2. Find full fingerprint for keys via `gpg --fingerprint` - This will be `740D DBFA...` in `Key fingerprint = 740D DBFA...` 3. Create our file via `sops --pgp '{{full_fingerprint}}' secret.enc.yml` - For JSON, we can use a non-YAML extension - For future edits of the file, we can use `sops secret.enc.yml` (our PGP fingerprint has been stored inside of the file) 4. Extract private key to file via `gpg --export-secret-keys --armor {{fingerprint}} > private.rsa` - `--armor` exports a human-friendly ASCII format instead of binary 5. Upload private key to our server via `rsync private.rsa {{server}}:private.rsa` 6. SSH onto our machine 7. Import private key into `gpg` keychain via `gpg --import private.rsa` 8. During deployment, decrypt `secret.enc.yml` to its plaintext variant via `sops --decrypt secret.enc.yml > secret.yml` 9. Run server using plaintext `secret.yml` -
Jan 28, 2016 . 1 changed file with 16 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,7 +11,7 @@ This means the recipient will initially decrypt via our (i.e. client’s) public To reiterate, the data we send is twice encrypted source’s private key outer shell, recipient’s public key inner shell. https://en.wikipedia.org/wiki/Web_of_trust#Simplified_Explanation # SOPS For a PGP setup, development machine must have the same public/private PGP key. Technically, we only need the public key to write content but for reading/editing we need the private key. @@ -27,7 +27,7 @@ The benefit of using KMS is it decouples the encryption key from access credenti # Setting up SOPS with PGP First, get SOPS installed by following its instructions: https://github.com/mozilla/sops/tree/0494bc41911bc6e050ddd8a5da2bbb071a79a5b7#up-and-running-in-60-seconds To delete their PGP key (although you likely don’t need to; GPG is more of a credential manager): @@ -45,7 +45,7 @@ sub 1024R/7CD79CC0 2015-10-08 - In the example above, public fingerprint is `07FB1A0A` and private is `7CD79CC0` - Verify empty files at `~/.gnupg/pubring.gpg` and `~/.gnupg/secring.gpg` GPG cheatsheet here: http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html Now that we have SOPS installed, let’s set it up in our repo: @@ -57,20 +57,18 @@ Now that we have SOPS installed, let’s set it up in our repo: 4. Real name: {{repo}} PGP (e.g. “twolfson.com PGP”) 5. Email address: {{email}} 6. Comment: PGP credentials for {{repo}} secrets 7. Password: Empty password - You may use a password but all developers and scripts performing decryption will need to know that password - This effectively makes the password useless since we are more concerned about compromising our secrets than the RSA key 2. Find full fingerprint for keys via `gpg --fingerprint` - This will be `740D DBFA...` in `Key fingerprint = 740D DBFA...` 3. Create our file via `sops --pgp '{{full_fingerprint}}' secret.yml` - For JSON, we can use a non-YAML extension - For future edits of the file, we can use `sops secret.yml` (our PGP fingerprint has been stored inside of the file) 4. Extract private key to file via `gpg --export-secret-keys --armor {{fingerprint}} > private.rsa` - `--armor` exports a human-friendly ASCII format instead of binary 5. Upload private key to our server via `rsync private.rsa {{server}}:private.rsa` 6. SSH onto our machine 7. Import private key into `gpg` keychain via `gpg --import private.rsa` 8. During deployment, decrypt `secret.yml` to its plaintext variant via `sops --decrypt --in-place secret.yml` 9. Run server using plaintext `secret.yml` -
Jan 28, 2016 . 1 changed file with 32 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,16 +24,25 @@ As an alternative to this sensitive setup, we can use AWS’ KMS which will mana The benefit of using KMS is it decouples the encryption key from access credentials. Great job by Mozilla here :100: # Setting up SOPS with PGP First, get SOPS installed by following its instructions: https://github.com/mozilla/sops/tree/0494bc41911bc6e050ddd8a5da2bbb071a79a5b7#up-and-running-in-60-seconds To delete their PGP key (although you likely don’t need to; GPG is more of a credential manager): - List installed keys via `gpg --list-keys` ``` /home/todd/.gnupg/pubring.gpg ----------------------------- pub 1024R/07FB1A0A 2015-10-08 uid SOPS Functional Tests (https://github.com/mozilla/sops/) <[email protected]> sub 1024R/7CD79CC0 2015-10-08 ``` - Delete desired key via `gpg --delete-keys {{fingerprint}}` and `gpg --delete-secret-keys {{fingerprint}}` - In the example above, public fingerprint is `07FB1A0A` and private is `7CD79CC0` - Verify empty files at `~/.gnupg/pubring.gpg` and `~/.gnupg/secring.gpg` GPG cheatsheet here: http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html @@ -43,10 +52,25 @@ Now that we have SOPS installed, let’s set it up in our repo: 1. Generate a GPG key for the repo 1. Use `gpg --gen-key`. For configuration, I chose: 1. Key type: RSA and RSA 2. Keysize: 2048 3. Expiration: 0 (never expires, otherwise we will have to re-set up configs) 4. Real name: {{repo}} PGP (e.g. “twolfson.com PGP”) 5. Email address: {{email}} 6. Comment: PGP credentials for {{repo}} secrets 7. Password: {{password}} 1. TODO: We set up a password on our key pair, should we have done that? 2. Find full fingerprint for keys via `gpg --fingerprint` 1. This will be `740D DBFA...` in `Key fingerprint = 740D DBFA...` 3. Create our file via `sops --pgp '{{full_fingerprint}}' secret.yml` 1. For JSON, we can use a non-YAML extension 4. For future edits of the file, we can use `sops secret.yml` (our PGP fingerprint has been stored inside of the file) **Unexplored steps:** - Upload private key to server via `rsync` - Import to `pgp` via `pgp --import` - Decrypt via `sops --decrypt --in-place secret.yml` or similar - TODO: Find out if signature is same as we expect - Run our server with `secret.yml` TODO: Want to explore other file signatures for SOPS; this isn't too compatible with our common/dev/test/prod setup nor the `static_*.json` breakdown -
Jan 28, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,52 @@ I'm learning about SOPS and setting it up as my preferred mechanism for storing secrets. Here are my notes. # PGP It’s security mechanism is that we (i.e. client) use a PUBLIC key from the receiver (i.e. server) and encode it with a random key (I’m saying nonce but it could be reused) This varies from RSA and SSH because the server uses a PUBLIC key to identify the client. # Web of trust Web of trust operates by still using PGP (i.e. encoding with recipient’s public key) but additionally, we can encrypt/sign the data as our own by signing it with the client’s private key. This means the recipient will initially decrypt via our (i.e. client’s) public key (verifying the source) and then decrypting via their (i.e. server’s) private key to get the data. To reiterate, the data we send is twice encrypted source’s private key outer shell, recipient’s public key inner shell. https://en.wikipedia.org/wiki/Web_of_trust#Simplified_Explanation # SOPS For a PGP setup, development machine must have the same public/private PGP key. Technically, we only need the public key to write content but for reading/editing we need the private key. The production server will have the private key for decryption. We can share the same PGP key for all services or make it per-service (obviously 1 is easier to maintain). As an alternative to this sensitive setup, we can use AWS’ KMS which will manage these public/private keys for us. To access said keys, we can use AWS credentials and their access control policy. The benefit of using KMS is it decouples the encryption key from access credentials. Great job by Mozilla here :100: # Setting up SOPS First, get SOPS installed by following its instructions: https://github.com/mozilla/sops/tree/0494bc41911bc6e050ddd8a5da2bbb071a79a5b7#up-and-running-in-60-seconds To delete their PGP key (although you likely don’t need to; GPG is more of a credential manager): - List installed keys via `gpg --list-keys` - TODO: Explain how `--list-keys` has a strange signature - Delete desired key via `gpg --delete-keys {{fingerprint}}` and `gpg --delete-secret-keys {{fingerprint}}` - Verify empty files at `~/.gnupg/pubring.gpg` and `~/.gnupg/secring.gpg` GPG cheatsheet here: http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html Now that we have SOPS installed, let’s set it up in our repo: 1. Generate a GPG key for the repo 1. Use `gpg --gen-key`. For configuration, I chose: 1. Key type: RSA and RSA 1. Keysize: 2048 1. Expiration: 0 (never expires, otherwise we will have to re-set up configs) 1. Real name: {{repo}} PGP (e.g. “twolfson.com PGP”) 1. Email address: {{email}} 1. Comment: PGP credentials for {{repo}} secrets 1. Password: {{password}} 1. TODO: We set up a password on our key pair, should we have done that?