Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS mac_only_encrypted #1512

Open
cdvv7788 opened this issue May 21, 2024 · 2 comments
Open

SOPS mac_only_encrypted #1512

cdvv7788 opened this issue May 21, 2024 · 2 comments

Comments

@cdvv7788
Copy link

I am trying to setup my .sops.yaml file to ignore unencrypted data.

Currently I am trying:

creation_rules:
- path_regex: .*test\.yaml$
  encrypted_regex: "^(secret)$"
  mac_only_encrypted: true
  key_groups:
    whatever

I am using that option based on what I found here https://github.com/getsops/sops/blob/main/config/config.go#L151

I can encrypt normally, but changing a value that is not encrypted is returning:

MAC mismatch. File has D9B9748797E046490BC4432DC40AB4A38750817647769079D1693B9FD8D26D14DF9852184707094D6A4F5DA6921271D10F291E457A7B0141894F75A641C1DE85, computed 33FCF2BAFEE86F970579A5B10C3B06A9930B114361C0ACAA2711BF68AB332583CC3BC0BB196C0E6ABE41F38FE1E508C777382E9F6D740F6CFF83EC47D89C96AB

Is this an example of bad usage? In that case, can you please document the proper usage?

To reproduce using sops==3.8.1:

  1. Create a test file named test.yaml:
public:
  test: this
secret:
  test: shhh
  1. Encrypt the file in place with sops -e -i test.yaml
public:
  test: this
secret:
  test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
  age:
      - recipient: <age_public_key>
        enc: ...
  lastmodified: "2024-05-21T15:21:04Z"
  mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
  pgp: []
  encrypted_regex: ^(secret)$
  version: 3.8.1
  1. Modify the public value that is not encrypted:
public:
    test: this-is-new
secret:
    test: ENC[AES256_GCM,data:VP9ZyA==,iv:YAa4Pt1ySLaGeGxwFOXoGOEzeYPlIBAy2Pg4PS5GBsU=,tag:dDSpyL412CUgqnjJfqEJpQ==,type:str]
sops:
    age:
        - recipient: <age_public_key>
          enc: ...
    lastmodified: "2024-05-21T15:21:04Z"
    mac: ENC[AES256_GCM,data:mJjJvCtlZ1movS16GeN/Ad2HhRUI7m3JYE00EMHYb0KTzwZKR1J3H08Q+8EeoX9SIgmUxYoHOOaTpAb5WFxVE8zz7eis+qhfpqjebaJ1d/1GfNpEVGOyY9f6vgzSwupIM3P9xWnJ2T1aNAcI8O4JuQuwq44XNu1vs6UyRI/VjBY=,iv:38Y8DDLOPpJEDiu3VRitaJQKIaLNHWKG+tTrsTwm8Uk=,tag:GnXnNfxFJmQ3A1b8/5CnfQ==,type:str]
    pgp: []
    encrypted_regex: ^(secret)$
    version: 3.8.1
  1. Try to decrypt using sops -d test.yaml and get the error:
MAC mismatch. File has 53D78D70FFC24EA217D3A1723A63507683FD8B5EECF667E4EB102B9BCF61E91D1F7C015C841ABB0645ABA2CE9AB20AE13EA544F31C75285C87A8F81F7790A8E5, computed 55578626998F8FDFF9EDC8504E2D096C9A025219056271BA1D24865F0284205179840D918521ADAD61E3A3DB3B7C2D9970E6B2526289726B919CDBEAC6944336
@felixfontein
Copy link
Contributor

Please note that mac_only_encrypted only exists on the main branch, but not in a released version so far.

CC @getsops/maintainers

@cdvv7788
Copy link
Author

🤦 I didn't check that. The .sops.yaml file options are mostly undocumented explicitly, so I just assumed this was the case. My bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cdvv7788 @felixfontein