Is it possible to update a SOPS-encrypted file without decrypting it first?

Asked 17/10, 2022 at 21:31 Answered 15/8, 2024 at 12:8

security encryption terraform mozilla-sops

I'm using Mozilla SOPS to encrypt secrets, the results of which are committed to a git repo shared by the other members of a project. When using SOPS for personal projects, I am using age to encrypt/decrypt the contents of my SOPS files; if I have a file called my-secrets.sops.yaml and I want to add a new key/value pair to it, my normal workflow is:

Run sops -d -i my-secrets.sops.yaml to decrypt the file in-place so that the values are plaintext.
Add new_secret: "ThisIsASecret" to the file.
Run sops -e -i my-secrets.sops.yaml to encrypt the file in-place.
Commit the changes to git.

This works for my personal projects because I generate the age secret and public keys myself, so I have access to both. I am aware that only the age public key is required to encrypt, but the secret key is required in order to decrypt.

Now here's my question: if I want to add a key/value pair (or update an existing value) in an existing SOPS file that already contains encrypted values, do I need the ability to decrypt the file first? I know that I could create a brand new file and just encrypt that, but that seems messy, especially in a collaborative environment.

In short: is it possible to add a new value to a YAML file that has been encrypted with SOPS with only the public key available (i.e. without decrypting)?

For context, a bit of background info on my use-case: this project uses Terraform to manage infrastructure, and secrets are kept in a SOPS-encrypted file located in the terraform project directory (for those interested, I'm using this provider to do stuff with the secret values). Our CI environment runs terraform, and has access to the age private key so that Terraform can (e.g.) set the password on database resources, etc. I want to make it so that developers can add new secrets, but cannot decrypt the secrets once they have been added.

Parashah answered 17/10, 2022 at 21:31 Comment(3)

I haven't used SOPS specifically and it might have some sort of special feature that changes the answer, but the general answer is no: most encryption schemes disallow this kind of behavior as it leads to specific forms of attack weakness. – Sororicide 18/10, 2022 at 0:9

@Sororicide Interesting! Would you mind sharing any links or examples for learning more about that? Since SOPS-encrypted files keep their structure transparent (e.g. for YAML files, only the values are encrypted) I figured this wouldn't be much different than having something like a directory where each file (the key) is an independently-encrypted secret (the value), which doesn't seem like it would be considered a vulnerability. – Parashah 19/10, 2022 at 21:49

Aha: if SOPS keeps the keys unencrypted, it's definitely designed with a weaker security model. (Note that just knowing what keys go with key-value pairs is a form of information leakage, which is why a more general crypto system wouldn't do that.) That weaker model could allow for this kind of update. Whether it does, well, that depends on the SOPS system. – Sororicide 19/10, 2022 at 23:33

You can use sops --set '["foo"]["bar"] "test"' ./test.enc.yaml to set or update just the foo.bar value without decrypting or altering the other entries. This means that with PGP you can use the public key to set a new value without having access to the private values

Semiliquid answered 18/7, 2023 at 11:58 Comment(1)

This doesn't work for me. I tried sops --set '["test"]' '"value"' test.json and get a warning about syntax and "Invalid --set format". I also tried sops set test.json '["test"]' '"value"' and got "Failed to get the data key required to decrypt the SOPS file." Trying the version you have fails even with keys available (maybe the syntax has changed?) but the second version works with keys available but fails without keys. – Romberg 15/8, 2024 at 12:3

This is not possible.

Protocol Reason

SOPS encrypts all values in a single file with the same symmetric key.

https://github.com/getsops/sops#encryption-protocol

This means that in order to add a value you need access to the same encryption key that is used to decrypt the other values in the file. So you need the ability to decrypt the shared secret to encrypt any new value.

Design Reason

SOPS uses Message Authentication Codes

https://github.com/getsops/sops#51message-authentication-code

These are explicitly intended so that only keyholders can make modifications to the file.

Romberg answered 15/8, 2024 at 12:8 Comment(0)

Protocol Reason

Design Reason

Recommended topics

Hot tags