Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unencrypted_comment_regex unexpectedly exposes secrets #1672

Open
c33s opened this issue Nov 8, 2024 · 1 comment
Open

unencrypted_comment_regex unexpectedly exposes secrets #1672

c33s opened this issue Nov 8, 2024 · 1 comment
Labels
enhancement not-a-bug SOPS behaves as designed, though apparently not as the user expected

Comments

@c33s
Copy link

c33s commented Nov 8, 2024

having a sops config file with unencrypted_comment_regex like that:
.sops.yaml

creation_rules:
  - unencrypted_comment_regex: sops:dec

and a secrets.yaml

# server credentials
credentials:
    # this is the age key for the deployment server # <- should stay unencrypted
    # hostname foo.example.com # <- should be encrypted
    age_key: 
        private: AGE-SECRET-KEY.... # <- should be encrypted
        public: age1.... # <- should be encrypted

where you want to have some readable comments but an encrypted private and public key, someone can easily think it should work like:

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

the assumption for me was to get:

#ENC[AES256_GCM... type:comment]
credentials:
    # this is the age key for the deployment server
    #ENC[AES256_GCM... type:comment]
    age_key:
        private: ENC[AES256_GCM...]
        public: ENC[AES256_GCM...]

but you end up with

#ENC[AES256_GCM... type:comment]
credentials:
    # this is the age key for the deployment server
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

so the sops:dec prevents the encryption not only for the next line but for the full following section until the next new comment block or next key/property.

that is quite unhandy/uncool as someone might assume that only the next line stays unencrypted and not the whole next section with all its subkeys. so you have no granular control over what gets encrypted and what does not get encrytped.
also as far as i know unencrypted_comment_regex is mutal exclusive with encrypted_comment_regex so i cannot even do this:

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    #sops:enc
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

or

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    #sops:dec:end
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?

i had to remove the #sops:dec comment and stay with encrypted comments to stay save (you easily overlook such behavior if you secrets file is a little longer).

i miss three things:

  • easy keep next / same line unencrypted
  • property/setting in the config to keep all comments unencrypted
  • allow to use both settings together (unencrypted_comment_regex and encrypted_comment_regex)
@felixfontein felixfontein added the not-a-bug SOPS behaves as designed, though apparently not as the user expected label Dec 24, 2024
@felixfontein
Copy link
Contributor

is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?

There is no way to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement not-a-bug SOPS behaves as designed, though apparently not as the user expected
Projects
None yet
Development

No branches or pull requests

2 participants