mozilla SOPS

2022-08-22 · 1 min read

Simple and flexible tool for managing secrets

• Github: https://github.com/mozilla/sops
• Similar: ejson-kms (AWS), ejson (Shopify), sy - share secrets safely

overview #

• Store encrypted credentials in an ops git repo
• DevOps manually "provisions" secrets by updating per-service encrypted credentials files
• Credentials files are encrypted with a key also stored in e.g. Azure KMS (per-service creds encrypted w/ key only viewable by that service in Azure KMS?)
• When service gets provisioned, on startup its credentials decryption key is pulled from KMS and the credentials are decrypted