Secrets Management

sops

Age Install

sudo pacman -S age
cd ~/create/sheepdog/deploy.sh

Sops Install

# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64

# Move the binary in to your PATH
sudo mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops

# Make the binary executable
sudo chmod +x /usr/local/bin/sops

• add sops key to depending on the appropriate environment:

mkdir -p /home/piegarden/.config/sops/age
# /home/piegarden/.config/sops/age/keys.txt
# /root/.config/sops/age/keys.txt

Hint: can manage recipients of keys with:

sops updatekeys

• Install Sops
• install gitleaks for secrets scanning Scan from root of repo with:

gitleaks detect --source . --no-git --verbose            

Theory

Storing Secrets in S3 Bucket as json files

Pros:

• Deploying my configs via s3 ensures I save the configs to a remote location I can access from anywhere. That way I don't end up losing them when I switch computers.
• Can deploy all configs with a single set of aws credentials.
• Json files map to structs nicely so it ends up being a lot less code then shoveling a bunch of env vars.
• Json can have types so you don't have to keep parsing strings for number or boolean values.
• Can edit these files with NVIM easily
• Can group all configs for a single service in the same directory
• Can upload configs too for dynamic configs (e.g., lego registration)
• Safer since remote configs means you are less likey to push that config to git if you should forget to leave it out of your git ignore.
• Can use aws profiles to switch between environments for different sets of credentials.

Cons:

• Its a lot faster to read from disk then to read from a bucket
• Downloading editing and then uploading is a bit cumbersome
• If you don't have internet, car drive in the country or airplane, then you still have to have local configs.