jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/docs/book/user/CONFIG_ENCRYPTION_GUIDE.html

830 lines
35 KiB
HTML
Raw Permalink Normal View History

chore: update provisioning configuration and documentation Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
2025-12-11 21:50:42 +00:00
<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Config Encryption Guide - Provisioning Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "ayu";
const default_dark_theme = "navy";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('ayu')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Provisioning Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/CONFIG_ENCRYPTION_GUIDE.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="configuration-encryption-guide"><a class="header" href="#configuration-encryption-guide">Configuration Encryption Guide</a></h1>
<p><strong>Version</strong>: 1.0.0
<strong>Last Updated</strong>: 2025-10-08
<strong>Status</strong>: Production Ready</p>
<h2 id="overview"><a class="header" href="#overview">Overview</a></h2>
<p>The Provisioning Platform includes a comprehensive configuration encryption system that provides:</p>
<ul>
<li><strong>Transparent Encryption/Decryption</strong>: Configs are automatically decrypted on load</li>
<li><strong>Multiple KMS Backends</strong>: Age, AWS KMS, HashiCorp Vault, Cosmian KMS</li>
<li><strong>Memory-Only Decryption</strong>: Secrets never written to disk in plaintext</li>
<li><strong>SOPS Integration</strong>: Industry-standard encryption with SOPS</li>
<li><strong>Sensitive Data Detection</strong>: Automatic scanning for unencrypted sensitive data</li>
</ul>
<h2 id="table-of-contents"><a class="header" href="#table-of-contents">Table of Contents</a></h2>
<ol>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#quick-start">Quick Start</a></li>
<li><a href="#configuration-encryption">Configuration Encryption</a></li>
<li><a href="#kms-backends">KMS Backends</a></li>
<li><a href="#cli-commands">CLI Commands</a></li>
<li><a href="#integration-with-config-loader">Integration with Config Loader</a></li>
<li><a href="#best-practices">Best Practices</a></li>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ol>
<hr />
<h2 id="prerequisites"><a class="header" href="#prerequisites">Prerequisites</a></h2>
<h3 id="required-tools"><a class="header" href="#required-tools">Required Tools</a></h3>
<ol>
<li>
<p><strong>SOPS</strong> (v3.10.2+)</p>
<pre><code class="language-bash"># macOS
brew install sops
# Linux
wget https://github.com/mozilla/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
sudo mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
sudo chmod +x /usr/local/bin/sops
</code></pre>
</li>
<li>
<p><strong>Age</strong> (for Age backend - recommended)</p>
<pre><code class="language-bash"># macOS
brew install age
# Linux
apt install age
</code></pre>
</li>
<li>
<p><strong>AWS CLI</strong> (for AWS KMS backend - optional)</p>
<pre><code class="language-bash">brew install awscli
</code></pre>
</li>
</ol>
<h3 id="verify-installation"><a class="header" href="#verify-installation">Verify Installation</a></h3>
<pre><code class="language-bash"># Check SOPS
sops --version
# Check Age
age --version
# Check AWS CLI (optional)
aws --version
</code></pre>
<hr />
<h2 id="quick-start"><a class="header" href="#quick-start">Quick Start</a></h2>
<h3 id="1-initialize-encryption"><a class="header" href="#1-initialize-encryption">1. Initialize Encryption</a></h3>
<p>Generate Age keys and create SOPS configuration:</p>
<pre><code class="language-bash">provisioning config init-encryption --kms age
</code></pre>
<p>This will:</p>
<ul>
<li>Generate Age key pair in <code>~/.config/sops/age/keys.txt</code></li>
<li>Display your public key (recipient)</li>
<li>Create <code>.sops.yaml</code> in your project</li>
</ul>
<h3 id="2-set-environment-variables"><a class="header" href="#2-set-environment-variables">2. Set Environment Variables</a></h3>
<p>Add to your shell profile (<code>~/.zshrc</code> or <code>~/.bashrc</code>):</p>
<pre><code class="language-bash"># Age encryption
export SOPS_AGE_RECIPIENTS="age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
export PROVISIONING_KAGE="$HOME/.config/sops/age/keys.txt"
</code></pre>
<p>Replace the recipient with your actual public key.</p>
<h3 id="3-validate-setup"><a class="header" href="#3-validate-setup">3. Validate Setup</a></h3>
<pre><code class="language-bash">provisioning config validate-encryption
</code></pre>
<p>Expected output:</p>
<pre><code>✅ Encryption configuration is valid
SOPS installed: true
Age backend: true
KMS enabled: false
Errors: 0
Warnings: 0
</code></pre>
<h3 id="4-encrypt-your-first-config"><a class="header" href="#4-encrypt-your-first-config">4. Encrypt Your First Config</a></h3>
<pre><code class="language-bash"># Create a config with sensitive data
cat &gt; workspace/config/secure.yaml &lt;&lt;EOF
database:
host: localhost
password: supersecret123
api_key: key_abc123
EOF
# Encrypt it
provisioning config encrypt workspace/config/secure.yaml --in-place
# Verify it's encrypted
provisioning config is-encrypted workspace/config/secure.yaml
</code></pre>
<hr />
<h2 id="configuration-encryption"><a class="header" href="#configuration-encryption">Configuration Encryption</a></h2>
<h3 id="file-naming-conventions"><a class="header" href="#file-naming-conventions">File Naming Conventions</a></h3>
<p>Encrypted files should follow these patterns:</p>
<ul>
<li><code>*.enc.yaml</code> - Encrypted YAML files</li>
<li><code>*.enc.yml</code> - Encrypted YAML files (alternative)</li>
<li><code>*.enc.toml</code> - Encrypted TOML files</li>
<li><code>secure.yaml</code> - Files in workspace/config/</li>
</ul>
<p>The <code>.sops.yaml</code> configuration automatically applies encryption rules based on file paths.</p>
<h3 id="encrypt-a-configuration-file"><a class="header" href="#encrypt-a-configuration-file">Encrypt a Configuration File</a></h3>
<h4 id="basic-encryption"><a class="header" href="#basic-encryption">Basic Encryption</a></h4>
<pre><code class="language-bash"># Encrypt and create new file
provisioning config encrypt secrets.yaml
# Output: secrets.yaml.enc
</code></pre>
<h4 id="in-place-encryption"><a class="header" href="#in-place-encryption">In-Place Encryption</a></h4>
<pre><code class="language-bash"># Encrypt and replace original
provisioning config encrypt secrets.yaml --in-place
</code></pre>
<h4 id="specify-output-path"><a class="header" href="#specify-output-path">Specify Output Path</a></h4>
<pre><code class="language-bash"># Encrypt to specific location
provisioning config encrypt secrets.yaml --output workspace/config/secure.enc.yaml
</code></pre>
<h4 id="choose-kms-backend"><a class="header" href="#choose-kms-backend">Choose KMS Backend</a></h4>
<pre><code class="language-bash"># Use Age (default)
provisioning config encrypt secrets.yaml --kms age
# Use AWS KMS
provisioning config encrypt secrets.yaml --kms aws-kms
# Use Vault
provisioning config encrypt secrets.yaml --kms vault
</code></pre>
<h3 id="decrypt-a-configuration-file"><a class="header" href="#decrypt-a-configuration-file">Decrypt a Configuration File</a></h3>
<pre><code class="language-bash"># Decrypt to new file
provisioning config decrypt secrets.enc.yaml
# Decrypt in-place
provisioning config decrypt secrets.enc.yaml --in-place
# Decrypt to specific location
provisioning config decrypt secrets.enc.yaml --output plaintext.yaml
</code></pre>
<h3 id="edit-encrypted-files"><a class="header" href="#edit-encrypted-files">Edit Encrypted Files</a></h3>
<p>The system provides a secure editing workflow:</p>
<pre><code class="language-bash"># Edit encrypted file (auto decrypt -&gt; edit -&gt; re-encrypt)
provisioning config edit-secure workspace/config/secure.enc.yaml
</code></pre>
<p>This will:</p>
<ol>
<li>Decrypt the file temporarily</li>
<li>Open in your <code>$EDITOR</code> (vim/nano/etc)</li>
<li>Re-encrypt when you save and close</li>
<li>Remove temporary decrypted file</li>
</ol>
<h3 id="check-encryption-status"><a class="header" href="#check-encryption-status">Check Encryption Status</a></h3>
<pre><code class="language-bash"># Check if file is encrypted
provisioning config is-encrypted workspace/config/secure.yaml
# Get detailed encryption info
provisioning config encryption-info workspace/config/secure.yaml
</code></pre>
<hr />
<h2 id="kms-backends"><a class="header" href="#kms-backends">KMS Backends</a></h2>
<h3 id="age-recommended-for-development"><a class="header" href="#age-recommended-for-development">Age (Recommended for Development)</a></h3>
<p><strong>Pros</strong>:</p>
<ul>
<li>Simple file-based keys</li>
<li>No external dependencies</li>
<li>Fast and secure</li>
<li>Works offline</li>
</ul>
<p><strong>Setup</strong>:</p>
<pre><code class="language-bash"># Initialize
provisioning config init-encryption --kms age
# Set environment variables
export SOPS_AGE_RECIPIENTS="age1..." # Your public key
export PROVISIONING_KAGE="$HOME/.config/sops/age/keys.txt"
</code></pre>
<p><strong>Encrypt/Decrypt</strong>:</p>
<pre><code class="language-bash">provisioning config encrypt secrets.yaml --kms age
provisioning config decrypt secrets.enc.yaml
</code></pre>
<h3 id="aws-kms-production"><a class="header" href="#aws-kms-production">AWS KMS (Production)</a></h3>
<p><strong>Pros</strong>:</p>
<ul>
<li>Centralized key management</li>
<li>Audit logging</li>
<li>IAM integration</li>
<li>Key rotation</li>
</ul>
<p><strong>Setup</strong>:</p>
<ol>
<li>Create KMS key in AWS Console</li>
<li>Configure AWS credentials:
<pre><code class="language-bash">aws configure
</code></pre>
</li>
<li>Update <code>.sops.yaml</code>:
<pre><code class="language-yaml">creation_rules:
- path_regex: .*\.enc\.yaml$
kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
</code></pre>
</li>
</ol>
<p><strong>Encrypt/Decrypt</strong>:</p>
<pre><code class="language-bash">provisioning config encrypt secrets.yaml --kms aws-kms
provisioning config decrypt secrets.enc.yaml
</code></pre>
<h3 id="hashicorp-vault-enterprise"><a class="header" href="#hashicorp-vault-enterprise">HashiCorp Vault (Enterprise)</a></h3>
<p><strong>Pros</strong>:</p>
<ul>
<li>Dynamic secrets</li>
<li>Centralized secret management</li>
<li>Audit logging</li>
<li>Policy-based access</li>
</ul>
<p><strong>Setup</strong>:</p>
<ol>
<li>
<p>Configure Vault address and token:</p>
<pre><code class="language-bash">export VAULT_ADDR="https://vault.example.com:8200"
export VAULT_TOKEN="s.xxxxxxxxxxxxxx"
</code></pre>
</li>
<li>
<p>Update configuration:</p>
<pre><code class="language-toml"># workspace/config/provisioning.yaml
kms:
enabled: true
mode: "remote"
vault:
address: "https://vault.example.com:8200"
transit_key: "provisioning"
</code></pre>
</li>
</ol>
<p><strong>Encrypt/Decrypt</strong>:</p>
<pre><code class="language-bash">provisioning config encrypt secrets.yaml --kms vault
provisioning config decrypt secrets.enc.yaml
</code></pre>
<h3 id="cosmian-kms-confidential-computing"><a class="header" href="#cosmian-kms-confidential-computing">Cosmian KMS (Confidential Computing)</a></h3>
<p><strong>Pros</strong>:</p>
<ul>
<li>Confidential computing support</li>
<li>Zero-knowledge architecture</li>
<li>Post-quantum ready</li>
<li>Cloud-agnostic</li>
</ul>
<p><strong>Setup</strong>:</p>
<ol>
<li>Deploy Cosmian KMS server</li>
<li>Update configuration:
<pre><code class="language-toml">kms:
enabled: true
mode: "remote"
remote:
endpoint: "https://kms.example.com:9998"
auth_method: "certificate"
client_cert: "/path/to/client.crt"
client_key: "/path/to/client.key"
</code></pre>
</li>
</ol>
<p><strong>Encrypt/Decrypt</strong>:</p>
<pre><code class="language-bash">provisioning config encrypt secrets.yaml --kms cosmian
provisioning config decrypt secrets.enc.yaml
</code></pre>
<hr />
<h2 id="cli-commands"><a class="header" href="#cli-commands">CLI Commands</a></h2>
<h3 id="configuration-encryption-commands"><a class="header" href="#configuration-encryption-commands">Configuration Encryption Commands</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Command</th><th>Description</th></tr></thead><tbody>
<tr><td><code>config encrypt &lt;file&gt;</code></td><td>Encrypt configuration file</td></tr>
<tr><td><code>config decrypt &lt;file&gt;</code></td><td>Decrypt configuration file</td></tr>
<tr><td><code>config edit-secure &lt;file&gt;</code></td><td>Edit encrypted file securely</td></tr>
<tr><td><code>config rotate-keys &lt;file&gt; &lt;key&gt;</code></td><td>Rotate encryption keys</td></tr>
<tr><td><code>config is-encrypted &lt;file&gt;</code></td><td>Check if file is encrypted</td></tr>
<tr><td><code>config encryption-info &lt;file&gt;</code></td><td>Show encryption details</td></tr>
<tr><td><code>config validate-encryption</code></td><td>Validate encryption setup</td></tr>
<tr><td><code>config scan-sensitive &lt;dir&gt;</code></td><td>Find unencrypted sensitive configs</td></tr>
<tr><td><code>config encrypt-all &lt;dir&gt;</code></td><td>Encrypt all sensitive configs</td></tr>
<tr><td><code>config init-encryption</code></td><td>Initialize encryption (generate keys)</td></tr>
</tbody></table>
</div>
<h3 id="examples"><a class="header" href="#examples">Examples</a></h3>
<pre><code class="language-bash"># Encrypt workspace config
provisioning config encrypt workspace/config/secure.yaml --in-place
# Edit encrypted file
provisioning config edit-secure workspace/config/secure.yaml
# Scan for unencrypted sensitive configs
provisioning config scan-sensitive workspace/config --recursive
# Encrypt all sensitive configs in workspace
provisioning config encrypt-all workspace/config --kms age --recursive
# Check encryption status
provisioning config is-encrypted workspace/config/secure.yaml
# Get detailed info
provisioning config encryption-info workspace/config/secure.yaml
# Validate setup
provisioning config validate-encryption
</code></pre>
<hr />
<h2 id="integration-with-config-loader"><a class="header" href="#integration-with-config-loader">Integration with Config Loader</a></h2>
<h3 id="automatic-decryption"><a class="header" href="#automatic-decryption">Automatic Decryption</a></h3>
<p>The config loader automatically detects and decrypts encrypted files:</p>
<pre><code class="language-nushell"># Load encrypted config (automatically decrypted in memory)
use lib_provisioning/config/loader.nu
let config = (load-provisioning-config --debug)
</code></pre>
<p><strong>Key Features</strong>:</p>
<ul>
<li><strong>Transparent</strong>: No code changes needed</li>
<li><strong>Memory-Only</strong>: Decrypted content never written to disk</li>
<li><strong>Fallback</strong>: If decryption fails, attempts to load as plain file</li>
<li><strong>Debug Support</strong>: Shows decryption status with <code>--debug</code> flag</li>
</ul>
<h3 id="manual-loading"><a class="header" href="#manual-loading">Manual Loading</a></h3>
<pre><code class="language-nushell">use lib_provisioning/config/encryption.nu
# Load encrypted config
let secure_config = (load-encrypted-config "workspace/config/secure.enc.yaml")
# Memory-only decryption (no file created)
let decrypted_content = (decrypt-config-memory "workspace/config/secure.enc.yaml")
</code></pre>
<h3 id="configuration-hierarchy-with-encryption"><a class="header" href="#configuration-hierarchy-with-encryption">Configuration Hierarchy with Encryption</a></h3>
<p>The system supports encrypted files at any level:</p>
<pre><code>1. workspace/{name}/config/provisioning.yaml ← Can be encrypted
2. workspace/{name}/config/providers/*.toml ← Can be encrypted
3. workspace/{name}/config/platform/*.toml ← Can be encrypted
4. ~/.../provisioning/ws_{name}.yaml ← Can be encrypted
5. Environment variables (PROVISIONING_*) ← Plain text
</code></pre>
<hr />
<h2 id="best-practices"><a class="header" href="#best-practices">Best Practices</a></h2>
<h3 id="1-encrypt-all-sensitive-data"><a class="header" href="#1-encrypt-all-sensitive-data">1. Encrypt All Sensitive Data</a></h3>
<p><strong>Always encrypt configs containing</strong>:</p>
<ul>
<li>Passwords</li>
<li>API keys</li>
<li>Secret keys</li>
<li>Private keys</li>
<li>Tokens</li>
<li>Credentials</li>
</ul>
<p><strong>Scan for unencrypted sensitive data</strong>:</p>
<pre><code class="language-bash">provisioning config scan-sensitive workspace --recursive
</code></pre>
<h3 id="2-use-appropriate-kms-backend"><a class="header" href="#2-use-appropriate-kms-backend">2. Use Appropriate KMS Backend</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Environment</th><th>Recommended Backend</th></tr></thead><tbody>
<tr><td>Development</td><td>Age (file-based)</td></tr>
<tr><td>Staging</td><td>AWS KMS or Vault</td></tr>
<tr><td>Production</td><td>AWS KMS or Vault</td></tr>
<tr><td>CI/CD</td><td>AWS KMS with IAM roles</td></tr>
</tbody></table>
</div>
<h3 id="3-key-management"><a class="header" href="#3-key-management">3. Key Management</a></h3>
<p><strong>Age Keys</strong>:</p>
<ul>
<li>Store private keys securely: <code>~/.config/sops/age/keys.txt</code></li>
<li>Set file permissions: <code>chmod 600 ~/.config/sops/age/keys.txt</code></li>
<li>Backup keys securely (encrypted backup)</li>
<li>Never commit private keys to git</li>
</ul>
<p><strong>AWS KMS</strong>:</p>
<ul>
<li>Use separate keys per environment</li>
<li>Enable key rotation</li>
<li>Use IAM policies for access control</li>
<li>Monitor usage with CloudTrail</li>
</ul>
<p><strong>Vault</strong>:</p>
<ul>
<li>Use transit engine for encryption</li>
<li>Enable audit logging</li>
<li>Implement least-privilege policies</li>
<li>Regular policy reviews</li>
</ul>
<h3 id="4-file-organization"><a class="header" href="#4-file-organization">4. File Organization</a></h3>
<pre><code>workspace/
└── config/
├── provisioning.yaml # Plain (no secrets)
├── secure.yaml # Encrypted (SOPS auto-detects)
├── providers/
│ ├── aws.toml # Plain (no secrets)
│ └── aws-credentials.enc.toml # Encrypted
└── platform/
└── database.enc.yaml # Encrypted
</code></pre>
<h3 id="5-git-integration"><a class="header" href="#5-git-integration">5. Git Integration</a></h3>
<p><strong>Add to <code>.gitignore</code></strong>:</p>
<pre><code class="language-gitignore"># Unencrypted sensitive files
**/secrets.yaml
**/credentials.yaml
**/*.dec.yaml
**/*.dec.toml
# Temporary decrypted files
*.tmp.yaml
*.tmp.toml
</code></pre>
<p><strong>Commit encrypted files</strong>:</p>
<pre><code class="language-bash"># Encrypted files are safe to commit
git add workspace/config/secure.enc.yaml
git commit -m "Add encrypted configuration"
</code></pre>
<h3 id="6-rotation-strategy"><a class="header" href="#6-rotation-strategy">6. Rotation Strategy</a></h3>
<p><strong>Regular Key Rotation</strong>:</p>
<pre><code class="language-bash"># Generate new Age key
age-keygen -o ~/.config/sops/age/keys-new.txt
# Update .sops.yaml with new recipient
# Rotate keys for file
provisioning config rotate-keys workspace/config/secure.yaml &lt;new-key-id&gt;
</code></pre>
<p><strong>Frequency</strong>:</p>
<ul>
<li>Development: Annually</li>
<li>Production: Quarterly</li>
<li>After team member departure: Immediately</li>
</ul>
<h3 id="7-audit-and-monitoring"><a class="header" href="#7-audit-and-monitoring">7. Audit and Monitoring</a></h3>
<p><strong>Track encryption status</strong>:</p>
<pre><code class="language-bash"># Regular scans
provisioning config scan-sensitive workspace --recursive
# Validate encryption setup
provisioning config validate-encryption
</code></pre>
<p><strong>Monitor access</strong> (with Vault/AWS KMS):</p>
<ul>
<li>Enable audit logging</li>
<li>Review access patterns</li>
<li>Alert on anomalies</li>
</ul>
<hr />
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<h3 id="sops-not-found"><a class="header" href="#sops-not-found">SOPS Not Found</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>SOPS binary not found
</code></pre>
<p><strong>Solution</strong>:</p>
<pre><code class="language-bash"># Install SOPS
brew install sops
# Verify
sops --version
</code></pre>
<h3 id="age-key-not-found"><a class="header" href="#age-key-not-found">Age Key Not Found</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>Age key file not found: ~/.config/sops/age/keys.txt
</code></pre>
<p><strong>Solution</strong>:</p>
<pre><code class="language-bash"># Generate new key
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt
# Set environment variable
export PROVISIONING_KAGE="$HOME/.config/sops/age/keys.txt"
</code></pre>
<h3 id="sops_age_recipients-not-set"><a class="header" href="#sops_age_recipients-not-set">SOPS_AGE_RECIPIENTS Not Set</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>no AGE_RECIPIENTS for file.yaml
</code></pre>
<p><strong>Solution</strong>:</p>
<pre><code class="language-bash"># Extract public key from private key
grep "public key:" ~/.config/sops/age/keys.txt
# Set environment variable
export SOPS_AGE_RECIPIENTS="age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
</code></pre>
<h3 id="decryption-failed"><a class="header" href="#decryption-failed">Decryption Failed</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>Failed to decrypt configuration file
</code></pre>
<p><strong>Solutions</strong>:</p>
<ol>
<li>
<p><strong>Wrong key</strong>:</p>
<pre><code class="language-bash"># Verify you have the correct private key
provisioning config validate-encryption
</code></pre>
</li>
<li>
<p><strong>File corrupted</strong>:</p>
<pre><code class="language-bash"># Check file integrity
sops --decrypt workspace/config/secure.yaml
</code></pre>
</li>
<li>
<p><strong>Wrong backend</strong>:</p>
<pre><code class="language-bash"># Check SOPS metadata in file
head -20 workspace/config/secure.yaml
</code></pre>
</li>
</ol>
<h3 id="aws-kms-access-denied"><a class="header" href="#aws-kms-access-denied">AWS KMS Access Denied</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>AccessDeniedException: User is not authorized to perform: kms:Decrypt
</code></pre>
<p><strong>Solution</strong>:</p>
<pre><code class="language-bash"># Check AWS credentials
aws sts get-caller-identity
# Verify KMS key policy allows your IAM user/role
aws kms describe-key --key-id &lt;key-arn&gt;
</code></pre>
<h3 id="vault-connection-failed"><a class="header" href="#vault-connection-failed">Vault Connection Failed</a></h3>
<p><strong>Error</strong>:</p>
<pre><code>Vault encryption failed: connection refused
</code></pre>
<p><strong>Solution</strong>:</p>
<pre><code class="language-bash"># Verify Vault address
echo $VAULT_ADDR
# Check connectivity
curl -k $VAULT_ADDR/v1/sys/health
# Verify token
vault token lookup
</code></pre>
<hr />
<h2 id="security-considerations"><a class="header" href="#security-considerations">Security Considerations</a></h2>
<h3 id="threat-model"><a class="header" href="#threat-model">Threat Model</a></h3>
<p><strong>Protected Against</strong>:</p>
<ul>
<li>✅ Plaintext secrets in git</li>
<li>✅ Accidental secret exposure</li>
<li>✅ Unauthorized file access</li>
<li>✅ Key compromise (with rotation)</li>
</ul>
<p><strong>Not Protected Against</strong>:</p>
<ul>
<li>❌ Memory dumps during decryption</li>
<li>❌ Root/admin access to running process</li>
<li>❌ Compromised Age/KMS keys</li>
<li>❌ Social engineering</li>
</ul>
<h3 id="security-best-practices"><a class="header" href="#security-best-practices">Security Best Practices</a></h3>
<ol>
<li><strong>Principle of Least Privilege</strong>: Only grant decryption access to those who need it</li>
<li><strong>Key Separation</strong>: Use different keys for different environments</li>
<li><strong>Regular Audits</strong>: Review who has access to keys</li>
<li><strong>Secure Key Storage</strong>: Never store private keys in git</li>
<li><strong>Rotation</strong>: Regularly rotate encryption keys</li>
<li><strong>Monitoring</strong>: Monitor decryption operations (with AWS KMS/Vault)</li>
</ol>
<hr />
<h2 id="additional-resources"><a class="header" href="#additional-resources">Additional Resources</a></h2>
<ul>
<li><strong>SOPS Documentation</strong>: https://github.com/mozilla/sops</li>
<li><strong>Age Encryption</strong>: https://age-encryption.org/</li>
<li><strong>AWS KMS</strong>: https://aws.amazon.com/kms/</li>
<li><strong>HashiCorp Vault</strong>: https://www.vaultproject.io/</li>
<li><strong>Cosmian KMS</strong>: https://www.cosmian.com/</li>
</ul>
<hr />
<h2 id="support"><a class="header" href="#support">Support</a></h2>
<p>For issues or questions:</p>
<ul>
<li>Check troubleshooting section above</li>
<li>Run: <code>provisioning config validate-encryption</code></li>
<li>Review logs with <code>--debug</code> flag</li>
</ul>
<hr />
<p><strong>Last Updated</strong>: 2025-10-08
<strong>Version</strong>: 1.0.0</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../user/AUTH_QUICK_REFERENCE.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/CONFIG_ENCRYPTION_QUICKREF.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../user/AUTH_QUICK_REFERENCE.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/CONFIG_ENCRYPTION_QUICKREF.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};
window.onbeforeunload = function() {
socket.close();
}
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink