sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Generalize SOPS_AGE_KEY to arbitrary executable

Open gkleen opened this issue 2 years ago • 2 comments

I currently see a few workarounds of the form SOPS_AGE_KEY=$(…) sops … floating around.

I would like to store my age key in my password manager, not have to specify a workaround each invocation as above, not wrap my sops binary in an outer shell script to set SOPS_AGE_KEY (difficult when sops is provided by various nix flakes via direnv), and not just set SOPS_AGE_KEY as environment for my entire user session on login.

It seems to me that these and similar usecases would benefit from a new environment variable SOPS_AGE_KEY_EXEC (bikeshedding welcome) that would contain a command that would be passed to exec.Command and run without arguments.
The stdout the command produces would then be used as an additional sops identity.

This would allow me to specify SOPS_AGE_KEY_EXEC globally for my entire user session and have my, securely stored, age key picked up by sops, even in my various direnven.

gkleen avatar Oct 10 '23 07:10 gkleen

Thanks for opening this issue. I was just looking for this capability myself - something similar to the RCLONE_PASSWORD_COMMAND environment variable recognized by rclone.

michael-anselmi avatar Oct 10 '23 18:10 michael-anselmi

For example, I use the 1Password password manager and its CLI tool op. It would be great if SOPS would read my age private key from 1Password on demand via op read with something like

export SOPS_AGE_KEY_COMMAND='/usr/local/bin/op read --no-newline -- op://<vault>/<item>[/<section>]/<field>'

sops -d <encrypted_file>

SOPS would itself execute /usr/local/bin/op read --no-newline -- op://<vault>/<item>[/<section>]/<field> and use the contents of stdout as the age private key.

Currently I am using op run as a workaround:

export SOPS_AGE_KEY='op://<vault>/<item>[/<section>]/<field>'
alias sops='/usr/local/bin/op run -- /path/to/sops'

However, this always runs op whenever I run sops, even when a private key is not needed. This often results in unnecessary authorization prompts from 1Password.

(As I had mentioned in my previous comment, what the issue submitter and I are requesting is similar to functionality supported by rclone via RCLONE_PASSWORD_COMMAND, where I can do

export RCLONE_PASSWORD_COMMAND='/usr/local/bin/op read --no-newline -- op://<vault>/<item>[/<section>]/<field>'

rclone config show

to decrypt my encrypted rclone configuration and print the plaintext.)

michael-anselmi avatar Oct 10 '23 18:10 michael-anselmi