# SOPS Configuration Example # Copy this file to the root of your workspace as .sops.yaml # # SOPS (Secrets OPerationS) configuration defines encryption rules # for configuration files based on path patterns. # # Documentation: https://github.com/mozilla/sops # Encryption rules (evaluated top to bottom, first match wins) creation_rules: # Rule 1: Encrypt workspace secure configs with Age - path_regex: workspace/.*/config/secure\.yaml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Replace with your Age public key # Rule 2: Encrypt all .enc.yaml files with Age - path_regex: .*\.enc\.yaml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Rule 3: Encrypt all .enc.yml files with Age - path_regex: .*\.enc\.yml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Rule 4: Encrypt all .enc.toml files with Age - path_regex: .*\.enc\.toml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Rule 5: Encrypt provider credentials with Age - path_regex: workspace/.*/config/providers/.*credentials.*\.toml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Rule 6: Encrypt platform secrets with Age - path_regex: workspace/.*/config/platform/.*secret.*\.yaml$ age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # ---------------------------------------------------------------------------- # AWS KMS Configuration Example (uncomment and configure for production) # ---------------------------------------------------------------------------- # # Rule 7: Encrypt production configs with AWS KMS # - path_regex: workspace/prod-.*/config/.*\.yaml$ # kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" # # Replace with your KMS key ARN # # Rule 8: Encrypt staging configs with AWS KMS # - path_regex: workspace/staging-.*/config/.*\.yaml$ # kms: "arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321" # # Rule 9: Multi-region AWS KMS (for disaster recovery) # - path_regex: workspace/prod-.*/config/critical/.*\.yaml$ # kms: >- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012, # arn:aws:kms:us-west-2:123456789012:key/87654321-4321-4321-4321-210987654321 # ---------------------------------------------------------------------------- # HashiCorp Vault Configuration Example # ---------------------------------------------------------------------------- # # Rule 10: Encrypt with Vault (requires Vault server) # - path_regex: workspace/.*/config/vault-encrypted/.*\.yaml$ # vault_uri: "https://vault.example.com:8200/v1/transit/keys/provisioning" # ---------------------------------------------------------------------------- # Advanced Examples # ---------------------------------------------------------------------------- # # Rule 11: Multi-recipient (multiple Age keys for team access) # - path_regex: workspace/shared-.*/config/.*\.yaml$ # age: >- # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p, # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q, # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8r # # Rule 12: PGP encryption (legacy, not recommended) # - path_regex: workspace/legacy-.*/config/.*\.yaml$ # pgp: >- # FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 # # Rule 13: Mixed backends (Age + AWS KMS for redundancy) # - path_regex: workspace/critical-.*/config/.*\.yaml$ # age: >- # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # kms: >- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 # # Rule 14: Specific key for CI/CD (separate from developers) # - path_regex: \.github/workflows/.*\.yaml$ # age: >- # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # # Rule 15: Per-environment keys # - path_regex: workspace/dev-.*/config/.*\.yaml$ # age: >- # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Dev key # - path_regex: workspace/prod-.*/config/.*\.yaml$ # age: >- # age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q # Prod key # ---------------------------------------------------------------------------- # Notes # ---------------------------------------------------------------------------- # 1. Rules are evaluated top to bottom, first match wins # 2. Use regex for flexible path matching # 3. Multiple recipients (comma-separated) allow team access # 4. Keep this file (.sops.yaml) unencrypted and commit to git # 5. Never commit private keys (Age, PGP, etc.) to git # 6. Store Age private keys in ~/.config/sops/age/keys.txt # 7. Set environment variable: export SOPS_AGE_RECIPIENTS="age1..." # ---------------------------------------------------------------------------- # How to Use # ---------------------------------------------------------------------------- # 1. Generate Age key: # age-keygen -o ~/.config/sops/age/keys.txt # # 2. Extract public key (recipient): # grep "public key:" ~/.config/sops/age/keys.txt # # 3. Replace the Age recipients above with your public key # # 4. Set environment variable: # export SOPS_AGE_RECIPIENTS="age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p" # # 5. Encrypt a file: # provisioning config encrypt workspace/config/secure.yaml # # 6. Decrypt a file: # provisioning config decrypt workspace/config/secure.enc.yaml # # 7. Edit encrypted file: # provisioning config edit-secure workspace/config/secure.enc.yaml # ---------------------------------------------------------------------------- # Security Best Practices # ---------------------------------------------------------------------------- # 1. Use separate keys for dev/staging/prod # 2. Rotate keys regularly (quarterly for production) # 3. Use AWS KMS for production (centralized key management) # 4. Enable audit logging (with AWS KMS or Vault) # 5. Never share private keys via email/chat # 6. Backup private keys securely (encrypted backup) # 7. Remove access when team members leave (rotate keys) # 8. Use multi-recipient for team access, not shared keys