Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sops EDIT function DOESN'T take latest configuration, was always using original configuration #1788

Open
Neal910 opened this issue Mar 5, 2025 · 5 comments
Open

Sops EDIT function DOESN'T take latest configuration, was always using original configuration #1788

Neal910 opened this issue Mar 5, 2025 · 5 comments

Comments

@Neal910
Copy link

Neal910 commented Mar 5, 2025

Background

We are changing the sops configuration for all our env vars saved in a project, but we don't want to re-encrypt all the files and commit them massively at once. Instead, we would like to ONLY change the sops configuration and leave all files as this for later operation. What I meant by later operation is that whenever people sops edit a file, then after editing we expect the sops will re-encrypt the file by using the new configuration. This way while people changing each file, we can gradually migrate all the env vars files with new configuration, this could potentially avoid everything change at once risk.

Issue

However current edit function doesn't take the configuration as a parameter, it will keep using the original config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1305, a non-existing file will trigger the new config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1328.

Does this make sense to always use latest config while doing the editing? Or is there any context I don't understand?
@felixfontein
Copy link
Contributor

That has been the behavior for many, many years. Editing does not automatically add or remove keys, unless you explicitly tell sops to add/remove specific keys. If you want to update keys to the latest config, use the updatekeys subcommand.

@Neal910
Copy link
Author

Neal910 commented Mar 5, 2025

Thanks a lot for your reply.

However I am not updating the keys, but to change from unencrypted_regex to something like

encrypted_regex: '.*(PASSWORD|SECRET|CREDENTIAL|PRIVATE|KEY|AUTH|TOKEN|JWT).*'
mac_only_encrypted: true

I tried with updateKeys function, it seems not work with this scenario.

@felixfontein
Copy link
Contributor

I don't think there's an update functionality for these kind of changes so far. updatekeys only takes care of encryption keys.

CC @getsops/maintainers. (Related: #1610 (comment))

@Neal910
Copy link
Author

Neal910 commented Mar 6, 2025

@felixfontein I played with a forked sops for a little bit to add a update-all-configs flag on updateKeys and realized that even with this flag it's the sops configurations and keys got updated for each of the encryption files, we would still need to add more to get encryption content updated, that leads me think what I need should not be the responsibility of updateKeys.

So maybe I should build a script myself to loop through all the encryption files, get them decrypt and encrypt again with new configurations. Or you think that can be something that Sops can support.

@haslersn
Copy link

haslersn commented Mar 24, 2025
edited
Loading

I think sops should have a reencrypt -i subcommand that does exactly the following, but without writing the intermediate plaintext to disk:

sops decrypt -i <filepath>
sops encrypt -i <filepath>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@felixfontein @Neal910 @haslersn