Comment by berkes
4 days ago
Has done "wat" for years?
I use sops for encrypting yaml files. But how does it replace .env or other ENV var setters/holders?
4 days ago
Has done "wat" for years?
I use sops for encrypting yaml files. But how does it replace .env or other ENV var setters/holders?
Sops can natively handle .env files. All you need to apply them to your process is a small wrapper script that sources the decrypted file before invoking your command.
There's a lot of gotcha bundled into this statement. It is true what you say, but it also hides away the nightmare of shell escaping bullshit that comes with the .env format the second you have to have some sort of transformation on the data that is orthogonal to the normal decryption path. I think that now they have a better story around some of the edge cases but if you go into SOPS you will see several issues around how the .env file format is just a complete nightmare with crazy escaped values such as a Google Service Account JSON.
The way I got around this on my own stuff is just to have a policy that all sops secrets have to be base64 encoded before the encryption hits them. That seems to solve basically every piping issue you could hit. Works super well with kubernetes, who supports native base64 encoded secrets, so you just take the value and inject it in, using data: instead of stringData: in the manifest of the created secret.
FWIW, I looked into it myself too, and found e.g. this direnv setup:
https://github.com/direnv/direnv/wiki/Sops