Skip to main content

Add Secrets

Some information passed in the Kits should be hidden from prying eyes. Fortunately, your database passwords, keys, secret tokens, and other sensitive information can be stored safely in encrypted form before being passed to Monk.

SOPS

Mozilla Secrets OPerationS (SOPS) is a popular editor for encrypted files, supporting many popular formats including JSON and YAML. See: https://github.com/mozilla/sops.

You can encrypt your Kits with SOPS for storage or for putting them under version control. MonkOS is able to load SOPS encrypted YAML files in a transparent manner as long as it has access to the key store that was used to encrypt them.

This feature works transparently - if you have an encrypted Kit, just use:

monk load myencrypted.yaml

MonkOS will decrypt the values passed in that YAML file and then re-encrypt it in its internal database so that your data stays secure at rest.

Prerequisites

In order to to run SOPS you need to generate your GPG key. You can do it by creating example GPG definition file that might look like this:

%no-protection
Key-Type: default
Subkey-Type: default
Name-Real: MyApp1
Name-Email: [email protected]
Expire-Date: 0

And then issue following command:

$ gpg --batch --generate-key < myApp1_key_definition

You can then get your key ID that will be used by SOPS via this command:

$ gpg --list-keys "[email protected]" | grep pub -A1 | tail -n1

Tutorial

Let's suppose we have the following Kit:

mystuff.yaml
namespace: mystuff

my-service:
    defines: runnable
    containers:
        foo:
            image: foo:latest
            environment:
                - SECRET_KEY=1234-VERY-SECRET-KEY-ABC

This file contains 1234-VERY-SECRET-KEY-ABC, a value that we wouldn't like anyone to intercept. Encryption

Assuming you have SOPS set up on your machine, you should be able to encrypt that file by using the following command:

sops --encrypt --pgp <your pgp key fingerprint> mystuff.yaml > mystuff-secure.yaml
note

SOPS provides many options for key storage. We have shown the -p option above. This will use your local PGP for encryption and decryption. Also, you have to be sure that you have PGP key installed locally before use it with monkd

The mystuff-secure.yaml should look similar to this:

mystuff-secure.yaml
namespace: ENC[AES256_GCM,data:8eSMrKDiqA==,iv:HHXy2xuo6oHGH3y9cgWUWZJwH9Mg8oUqdXKkwpgY9TY=,tag:d+OUbZPyA7pYAQN7vJKL3g==,type:str]
my-service:
    defines: ENC[AES256_GCM,data:BQJVtK8Ju1Q=,iv:2JKnD0ZoLUmacJ+zROhyuLv3xybiDpAFR/iGt8Jz18w=,tag:g3gRuIOZ6/GHCi0fU3d3Og==,type:str]
    containers:
        defines: ENC[AES256_GCM,data:w9Wm0ugLGh6Ihw==,iv:qI06rxEvRdZjBlCwpyEEuq7B+r3itRLyXoIC9gav7RM=,tag:snwjY8kRzXsSHh98eymqaA==,type:str]
        foo:
            image: ENC[AES256_GCM,data:P7KUkeLmly+QmA==,iv:GjMCqg8B4Eax3VGx+Cdem/XmX6vL4Q2+h4tJwaHrzvc=,tag:QZbhlaOrj+80lQksUAHrXg==,type:str]
            environment:
            - ENC[AES256_GCM,data:bQrtjuI0kH3SqlzDIAsQOdPeOmMNAfYjYlBx/phyj4mz7MQ=,iv:lcEqMQK5tZUMi0gE/BIgGP1FwabqFkIDoTRvLX5Il6o=,tag:z7mTd+sA8wcroJAZPY1qow==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    lastmodified: '2020-10-04T19:43:17Z'
    mac: ENC[AES256_GCM,data:rkt22zDJ2i55cfJegxQ3KlSdlbBOC6aLqgu5zg6ggmte2wCmF9aJ7tkVdJ6tHfcCTB9RHsyb8VZ8FkgY51vNVMJUBhoK1oeI4DDf5P/LtumwWxOmVSeIi46byuHrmM0SHNwH/j5O2W1QGzeoYUPboTaa0v9ond9ECzzUIV0gfc8=,iv:ZipozZKS6qkMwdBK+EPwuQzawHoAEbqsLt+5jUVgAxM=,tag:t76XeNztb5MKeUSBxaGkvQ==,type:str]
    pgp:
    -   created_at: '2020-10-04T19:43:16Z'
        enc: |
            -----BEGIN PGP MESSAGE-----

            hQIMA1+L4XrjeoONAQ//TbzXJ+tY41NlUn8h8rn2pgXasLZLVw1tt6sMjUnPxnQ0
            5F2S2Z/wx5Pkd4Xf6t8ZCsaguD5SuT96DBH4OUYSZuRNu2ez4dUKNtvEJnf1UVxj
            A76QWzldderq/RwDtPAElDBLBae9xYU6z76RXoOO2sQM0sFnIohjC6dvagQR8Xu9
            2A+mJ+T3fVgpDgI/nHeF+YUHEOpNL6UbRpEZpH7gyrigiH7vE94P/m5xReDsHQLF
            JQmLFDiCneY9tV+7KVlfcjVjpLZy93WJnv/SpigsGGuJoxl/bjb9utDsbHFC4dCu
            /DmsgqW+i9M267tzN/eM8/wy0Y38IECtO7pjNZKEPUvr6hxp8VxlcN3V/xmmoOWo
            qvHpHQUQhUxjaWq8A8Z/rrhZvMcnS1+domPiCe3xNgluF2Hpnn6iqofrtjN3XflD
            kCV++MpuNOgZCboxNWi3651lUHyR0JBlopqvDtiTJF/3Zemx+f2WhaanhnnX7PZW
            yUcFL+HKGy74FvT5ivGMA38tpF7kPQHSSQg6ooDAqO8C8mErxm2g0kfuycvYfDTy
            Z/fQZBHn9+Gz6vJr0aq6BJPJuOyZ5twUZXrIktCeshIKfTNkZl39NfTPyu0Wqsj6
            VnVgHiggsWl9b6BvSYKr4fJteUhQE0Je5NSmgaG3LnwY7YjS+YyqaE4sT16EW2PS
            XgGiQV7kDYyb9UMtCGjtv/9lca89n9NJBk/1yYGzt7c4HBmAvhIYtCzgfEDLKdEi
            ayfYeAW8mXW4PNnyUYAuwpup+2mVvleeEyK2noQJa9DT+yFwNx5sf98U14Ijheo=
            =iMK9
            -----END PGP MESSAGE-----
        fp: 888E5DA29455B60CADAF9E94201C5767513753F8
    unencrypted_suffix: _unencrypted
    version: 3.6.0

As you can see, 1234-VERY-SECRET-KEY-ABC is nowhere to be found. In fact, SOPS encrypted all the values so the purpose of this Kit is now impossible to decipher without decrypting the file.

Loading

To load such Kit file:

monk load mystuff-secure.yaml

And that's it! MonkOS will load this file like any other cleartext Kit.

Further edits to the Kit

This Kit can now be edited by using:

sops mystuff-secure.yaml

Refer to SOPS documentation for further help on this topic.

Rate this page