From e8ea26fcc62dd2010f40aea828914e5ef0e562e7 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 29 Oct 2023 18:28:18 +0100 Subject: [PATCH 1/3] Allow to override fileName with different value. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 0b3b0b6ae..26e084c26 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -769,6 +769,10 @@ func main() { Name: "output", Usage: "Save the output after encryption or decryption to the file specified", }, + cli.StringFlag{ + Name: "filename-override", + Usage: "Use this filename instead of the provided argument for loading configuration, and for determining input type and output type", + }, }, keyserviceFlags...) app.Action = func(c *cli.Context) error { @@ -795,13 +799,17 @@ func main() { return common.NewExitError("Error: cannot operate on non-existent file", codes.NoFileSpecified) } } + fileNameOverride := c.String("filename-override") + if fileNameOverride == "" { + fileNameOverride = fileName + } unencryptedSuffix := c.String("unencrypted-suffix") encryptedSuffix := c.String("encrypted-suffix") encryptedRegex := c.String("encrypted-regex") unencryptedRegex := c.String("unencrypted-regex") macOnlyEncrypted := c.Bool("mac-only-encrypted") - conf, err := loadConfig(c, fileName, nil) + conf, err := loadConfig(c, fileNameOverride, nil) if err != nil { return toExitError(err) } @@ -847,19 +855,19 @@ func main() { unencryptedSuffix = sops.DefaultUnencryptedSuffix } - inputStore := inputStore(c, fileName) - outputStore := outputStore(c, fileName) + inputStore := inputStore(c, fileNameOverride) + outputStore := outputStore(c, fileNameOverride) svcs := keyservices(c) var output []byte if c.Bool("encrypt") { var groups []sops.KeyGroup - groups, err = keyGroups(c, fileName) + groups, err = keyGroups(c, fileNameOverride) if err != nil { return toExitError(err) } var threshold int - threshold, err = shamirThreshold(c, fileName) + threshold, err = shamirThreshold(c, fileNameOverride) if err != nil { return toExitError(err) } @@ -1015,12 +1023,12 @@ func main() { } else { // File doesn't exist, edit the example file instead var groups []sops.KeyGroup - groups, err = keyGroups(c, fileName) + groups, err = keyGroups(c, fileNameOverride) if err != nil { return toExitError(err) } var threshold int - threshold, err = shamirThreshold(c, fileName) + threshold, err = shamirThreshold(c, fileNameOverride) if err != nil { return toExitError(err) } From c60ab80c1ebc4f76881d2f88edb522a76027881b Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 29 Oct 2023 21:51:09 +0100 Subject: [PATCH 2/3] Document how to encrypt and decrypt via pipes. Signed-off-by: Felix Fontein --- README.rst | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 82cf622d4..9bc79216d 100644 --- a/README.rst +++ b/README.rst @@ -323,7 +323,39 @@ Now you can encrypt a file using:: And decrypt it using:: - $ sops --decrypt test.enc.yaml + $ sops --decrypt test.enc.yaml + + +Encrypting and decrypting from other programs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When using ``sops`` in scripts or from other programs, there are often situations where you do not want to write encrypted or decrypted data to disk. The best way to avoid this is to pass data to SOPS via stdin, and to let SOPS write data to stdout. By default, the encrypt and decrypt operations write data to stdout already. To pass data via stdin, you need to pass ``/dev/stdin`` as the input filename. Please note that this only works on Unix-like operating systems such as macOS and Linux. On Windows, you have to use named pipes. + +To decrypt data, you can simply do: + +.. code:: sh + + $ cat encrypted-data | sops --decrypt /dev/stdin > decrypted-data + +To control the input and output format, pass ``--input-type`` and ``--output-type`` as appropriate. By default, ``sops`` determines the input and output format from the provided filename, which is ``/dev/stdin`` here, and thus will use the binary store which expects JSON input and outputs binary data on decryption. + +For example, to decrypt YAML data and obtain the decrypted result as YAML, use: + +.. code:: sh + + $ cat encrypted-data | sops --input-type yaml --output-type yaml --decrypt /dev/stdin > decrypted-data + +To encrypt, it is important to note that SOPS also uses the filename to look up the correct creation rule from ``.sops.yaml``. Likely ``/dev/stdin`` will not match a creation rule, or only match the fallback rule without ``path_regex``, which is usually not what you want. For that, ``sops`` provides the ``--filename-override`` parameter which allows you to tell SOPS which filename to use to match creation rules: + +.. code:: sh + + $ echo 'foo: bar' | sops --filename-override path/filename.sops.yaml --encrypt /dev/stdin > encrypted-data + +SOPS will find a matching creation rule for ``path/filename.sops.yaml`` in ``.sops.yaml`` and use that one to encrypt the data from stdin. This filename will also be used to determine the input and output store. As always, the input store type can be adjusted by passing ``--input-type``, and the output store type by passing ``--output-type``: + +.. code:: sh + + $ echo foo=bar | sops --filename-override path/filename.sops.yaml --input-type dotenv --encrypt /dev/stdin > encrypted-data Encrypting using Hashicorp Vault From 2678f2dd9bedea1e22e4c289f67efe7728ed0317 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Dec 2023 17:26:20 +0100 Subject: [PATCH 3/3] Wrap lines. Signed-off-by: Felix Fontein --- README.rst | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index 9bc79216d..c47ac6e63 100644 --- a/README.rst +++ b/README.rst @@ -329,7 +329,11 @@ And decrypt it using:: Encrypting and decrypting from other programs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -When using ``sops`` in scripts or from other programs, there are often situations where you do not want to write encrypted or decrypted data to disk. The best way to avoid this is to pass data to SOPS via stdin, and to let SOPS write data to stdout. By default, the encrypt and decrypt operations write data to stdout already. To pass data via stdin, you need to pass ``/dev/stdin`` as the input filename. Please note that this only works on Unix-like operating systems such as macOS and Linux. On Windows, you have to use named pipes. +When using ``sops`` in scripts or from other programs, there are often situations where you do not want to write +encrypted or decrypted data to disk. The best way to avoid this is to pass data to SOPS via stdin, and to let +SOPS write data to stdout. By default, the encrypt and decrypt operations write data to stdout already. To pass +data via stdin, you need to pass ``/dev/stdin`` as the input filename. Please note that this only works on +Unix-like operating systems such as macOS and Linux. On Windows, you have to use named pipes. To decrypt data, you can simply do: @@ -337,7 +341,9 @@ To decrypt data, you can simply do: $ cat encrypted-data | sops --decrypt /dev/stdin > decrypted-data -To control the input and output format, pass ``--input-type`` and ``--output-type`` as appropriate. By default, ``sops`` determines the input and output format from the provided filename, which is ``/dev/stdin`` here, and thus will use the binary store which expects JSON input and outputs binary data on decryption. +To control the input and output format, pass ``--input-type`` and ``--output-type`` as appropriate. By default, +``sops`` determines the input and output format from the provided filename, which is ``/dev/stdin`` here, and +thus will use the binary store which expects JSON input and outputs binary data on decryption. For example, to decrypt YAML data and obtain the decrypted result as YAML, use: @@ -345,13 +351,19 @@ For example, to decrypt YAML data and obtain the decrypted result as YAML, use: $ cat encrypted-data | sops --input-type yaml --output-type yaml --decrypt /dev/stdin > decrypted-data -To encrypt, it is important to note that SOPS also uses the filename to look up the correct creation rule from ``.sops.yaml``. Likely ``/dev/stdin`` will not match a creation rule, or only match the fallback rule without ``path_regex``, which is usually not what you want. For that, ``sops`` provides the ``--filename-override`` parameter which allows you to tell SOPS which filename to use to match creation rules: +To encrypt, it is important to note that SOPS also uses the filename to look up the correct creation rule from +``.sops.yaml``. Likely ``/dev/stdin`` will not match a creation rule, or only match the fallback rule without +``path_regex``, which is usually not what you want. For that, ``sops`` provides the ``--filename-override`` +parameter which allows you to tell SOPS which filename to use to match creation rules: .. code:: sh $ echo 'foo: bar' | sops --filename-override path/filename.sops.yaml --encrypt /dev/stdin > encrypted-data -SOPS will find a matching creation rule for ``path/filename.sops.yaml`` in ``.sops.yaml`` and use that one to encrypt the data from stdin. This filename will also be used to determine the input and output store. As always, the input store type can be adjusted by passing ``--input-type``, and the output store type by passing ``--output-type``: +SOPS will find a matching creation rule for ``path/filename.sops.yaml`` in ``.sops.yaml`` and use that one to +encrypt the data from stdin. This filename will also be used to determine the input and output store. As always, +the input store type can be adjusted by passing ``--input-type``, and the output store type by passing +``--output-type``: .. code:: sh