I'm using Mozilla SOPS to encrypt secrets, the results of which are committed to a git repo shared by the other members of a project. When using SOPS for personal projects, I am using age to encrypt/decrypt the contents of my SOPS files; if I have a file called my-secrets.sops.yaml and I want to add a new key/value pair to it, my normal workflow is:
- Run
sops -d -i my-secrets.sops.yamlto decrypt the file in-place so that the values are plaintext. - Add
new_secret: "ThisIsASecret"to the file. - Run
sops -e -i my-secrets.sops.yamlto encrypt the file in-place. - Commit the changes to git.
This works for my personal projects because I generate the age secret and public keys myself, so I have access to both. I am aware that only the age public key is required to encrypt, but the secret key is required in order to decrypt.
Now here's my question: if I want to add a key/value pair (or update an existing value) in an existing SOPS file that already contains encrypted values, do I need the ability to decrypt the file first? I know that I could create a brand new file and just encrypt that, but that seems messy, especially in a collaborative environment.
In short: is it possible to add a new value to a YAML file that has been encrypted with SOPS with only the public key available (i.e. without decrypting)?
For context, a bit of background info on my use-case: this project uses Terraform to manage infrastructure, and secrets are kept in a SOPS-encrypted file located in the terraform project directory (for those interested, I'm using this provider to do stuff with the secret values). Our CI environment runs terraform, and has access to the age private key so that Terraform can (e.g.) set the password on database resources, etc. I want to make it so that developers can add new secrets, but cannot decrypt the secrets once they have been added.
You can use sops --set '["foo"]["bar"] "test"' ./test.enc.yaml to set or update just the foo.bar value without decrypting or altering the other entries. This means that with PGP you can use the public key to set a new value without having access to the private values