The crypto service is used to encrypt and decrypt sops-files. You can read more about sops here.
The current version of sops is bekk/sops, but this can be changed to the official sops when this has been included.
In order to encrypt files, the service is dependent on having a .sops.yaml-configuration file. Example:
creation_rules:
- shamir_threshold: 2
path_regex: \.risc\.yaml$ # Path to files for local development - not relevant for the crypto service
key_groups:
- age:
- "age1hn2ax8m9798srve8f207llr50tyelzyp63k96ufx0ud487q9xveqca6k0r"
- gcp_kms:
- resource_id: projects/spire-ros-5lmr/locations/eur4/keyRings/ROS/cryptoKeys/ros-as-codeFor the crypto service to be able to decrypt files, it has to have access to a set (minimum one key in x groups, where x is defined by the shamir threshold) of the resources used to encrypt. When encrypting files, the crypto service has to be able to access all resources in the configuration file. This is especially important to remember in terms of kms-resources.
Small note on config files: The crypto service stores the configuration file as a temporary file. This is deleted when the sops encryption succeeds, however, if an error occurs it might not be. The information in these files are already stored in github, and does not contain any secret information.
Age is a simple, modern and secyre encryption tool, format and Go library. In this service we use asymmetric Age key-pairs to encrypt and decrypt files. The asymmetry of the Age keys makes it easy to add the public key to the .sops.yaml configuration files. The private keys are kept secret, and used for decryption of files.
The GCP KMS is the only supported KMS in this service. There are other available key management services available through sops, but they require credentials or personal access tokens.
When using sops, a personal access token is used to access the resources, because of this the access to the resource is restricted to the user.
This service only support the use of the GCP KMS and not the other kms-es that sops support, unless authentication is provided.
To run the crypto service locally you can either run it through IntelliJ or as a docker-image with docker-compose. We recommend running it with docker-compose as this do not require downloading a custom configured sops on your local machine.
To run locally with docker-compose, you first need to create the git-ignored file .env.
cp .env.example .env
If you are on M4 Mac, uncomment IMAGE and BUILD_IMAGE.
If you need access to environment-variables, ask a colleague.
You can then build and run the application with
docker-compose upwhich starts the crypto service on port 8084.
To run the crypto service locally you need to have sops installed.
It is very easy to do with gh
brew install gh
gh auth loginThe current version used in crypto service has added functionality with the use of google access tokens to access the crypto key resources from the gcp kms.
# download the latest version
gh release download --repo https://github.com/bekk/sops <nyeste versjon> --pattern '*.darwin.arm64'
# rename the file to sops
mv sops-v1.2.darwin.arm64 sops
# make it executable
chmod +x sops
# add sops to your path
export PATH=$PATH:<path to file>Det finnes en PR fra Maren Ringsby for å legge til støtte for bruk av GCP-tokens mot GCP KMS. Etter planen blir den med i 3.10-versjon av sops.
Inntil det må Bekk sin sops versjon holdes i sync med utviklingen i sops. Her er skrittene:
git clone https://github.com/marensofier/sops.git maren-sops// Last ned maren sitt repocd maren-sopsgit checkout add_access_token//Bytt til branchen med endringengit remote add upstream https://github.com/getsops/sops.git// Lag remote til sopsgit fetch upstream// Hent ned siste versjon av sopsgit pull upstream main// Merge inn endringer fra originalen. Her er det sikkert konflikter i avhengigheter som må fikses
cd ..// Gå et hakk oppgit clone https://github.com/bekk/sops.git bekk-sops// Last ned Bekk sin versjon av sopscd bekk-sopsgit remote add maren-sops ../maren-sops/.git// Lag en remote til vår lokale maren-sopsgit fetch maren-sops// Hent alle branchergit branch --track add_access_token maren-sops/add_access_token// Lag en lokal branch av maren-sops sin maingit checkout add_access_token// Svitsje til branchen som har riktigst sops någit merge -s ours main// merge med bekk-sops sin main, men behold alt fra maren-sops-maingit checkout main// tilbake til bekk-sops sin maingit merge add_access_token// få main til å se ut som maren-sops-maingit push// direkte push på main, som KAN stoppes av github-regler (i så fall gå via en PR)
SOPS_AGE_KEY is an environment variable necessary to run the application with sops. The sops age key is the private key of an assymetric Age key-pair. The cryptoservice assumes that all files are encrypted with the public key of the key-pair(and is present in the .sops.yaml-config files), and use the private sops age key to decrypt the files.
Sops is configured to read the private key from either a keys.txt-file from your user configuration directory, or from the environment variable. The keys.txt-file will have precedence.
This can be created by following these steps for mac-users
# install age
brew install age
# create a key-pair, and add the private part to the sops config directory
age-keygen -o $HOME/Library/Application Support/sops/age/keys.txtWe recommend using IntelliJ for local development. To run the application, simply open the repository locally and
selectLocal Server
as your run configuration, then run it.
Change the SOPS_AGE_KEY to your key, but remember to keep your private key safe.
export SOPS_AGE_KEY=<sops Age private key>
./gradlew bootRun --args='--spring.profiles.active=local'
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
