You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sops: SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
I use sops as a way to distribute repo-embedded secrets to deployments. My current state is something like:
keys:
# these pgp fingerprints are hypothetically stashed on yubikeys- &admin1 85D77543B3D624B63CEA9E6DBC17301B491B3F21- &admin2 E60892BB9BD89A69F759A1A0A3D652173B763E8F- &deploymentA age13g95t0knjaanph6s8d5qlt9e00pacjthrgjdt8hn0n32eqyt596qgxymrscreation_rules:
- key_groups:
- pgp:
- *admin1- *admin2age:
- *deploymentA
I've generated age keys on yubikeys, and would like to use the following (so I can move off of gpg entirely : )
keys:
# these are now hypothetical age keys!- &admin1 age1yubikey3kkk8fcv3x35nhumlpj6ljsl87mfet7weu73yx4m94twyfgrnvqqjtzkw- &admin2 age1yubikeylxh0t6yv38jxpgsvgf4vm74v6zy4d884j9mkh0er2lvshddduqassnsk- &deploymentA age13g95t0knjaanph6s8d5qlt9e00pacjthrgjdt8hn0n32eqyt596qgxymrscreation_rules:
- key_groups:
- age:
- *admin1- *admin2- *deploymentA
However sops secret.yaml chokes with:
failed to parse input as Bech32-encoded age public key: malformed recipient "age1yubikey1qfj6cjej7ghmgl06vffex7eefvajusr4lu9w8k2sfe089wv3z7gdvqw0jjj": invalid type "age1yubikey"
It's unclear to me whether this is a sops ask or an age ask: my hunch is that it's age's responsibility to come up with a valid recipient for any available plugin implementations.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Sops: SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
I use sops as a way to distribute repo-embedded secrets to deployments. My current state is something like:
I've generated age keys on yubikeys, and would like to use the following (so I can move off of gpg entirely : )
However
sops secret.yamlchokes with:Sops calls in here:
https://github.com/getsops/sops/blob/a8fb5405533aa10c36e267a9410d9e8ac0cf7a3b/age/keysource.go#L299
It's unclear to me whether this is a sops ask or an age ask: my hunch is that it's age's responsibility to come up with a valid recipient for any available plugin implementations.
Beta Was this translation helpful? Give feedback.
All reactions