You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# server credentialscredentials:
# this is the age key for the deployment server # <- should stay unencrypted# hostname foo.example.com # <- should be encryptedage_key:
private: AGE-SECRET-KEY.... # <- should be encryptedpublic: age1.... # <- should be encrypted
where you want to have some readable comments but an encrypted private and public key, someone can easily think it should work like:
# server credentialscredentials:
#sops:dec# this is the age key for the deployment server# hostname foo.example.comage_key:
private: AGE-SECRET-KEY....public: age1....
the assumption for me was to get:
#ENC[AES256_GCM... type:comment]credentials:
# this is the age key for the deployment server#ENC[AES256_GCM... type:comment]age_key:
private: ENC[AES256_GCM...]public: ENC[AES256_GCM...]
but you end up with
#ENC[AES256_GCM... type:comment]credentials:
# this is the age key for the deployment server# hostname foo.example.comage_key:
private: AGE-SECRET-KEY....public: age1....
so the sops:dec prevents the encryption not only for the next line but for the full following section until the next new comment block or next key/property.
that is quite unhandy/uncool as someone might assume that only the next line stays unencrypted and not the whole next section with all its subkeys. so you have no granular control over what gets encrypted and what does not get encrytped.
also as far as i know unencrypted_comment_regex is mutal exclusive with encrypted_comment_regex so i cannot even do this:
# server credentialscredentials:
#sops:dec# this is the age key for the deployment server#sops:enc# hostname foo.example.comage_key:
private: AGE-SECRET-KEY....public: age1....
or
# server credentialscredentials:
#sops:dec# this is the age key for the deployment server#sops:dec:end# hostname foo.example.comage_key:
private: AGE-SECRET-KEY....public: age1....
is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?
i had to remove the #sops:dec comment and stay with encrypted comments to stay save (you easily overlook such behavior if you secrets file is a little longer).
i miss three things:
easy keep next / same line unencrypted
property/setting in the config to keep all comments unencrypted
allow to use both settings together (unencrypted_comment_regex and encrypted_comment_regex)
The text was updated successfully, but these errors were encountered:
having a sops config file with
unencrypted_comment_regexlike that:.sops.yamland a
secrets.yamlwhere you want to have some readable comments but an encrypted private and public key, someone can easily think it should work like:
the assumption for me was to get:
but you end up with
so the
sops:decprevents the encryption not only for the next line but for the full following section until the next new comment block or next key/property.that is quite unhandy/uncool as someone might assume that only the next line stays unencrypted and not the whole next section with all its subkeys. so you have no granular control over what gets encrypted and what does not get encrytped.
also as far as i know
unencrypted_comment_regexis mutal exclusive withencrypted_comment_regexso i cannot even do this:or
is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?
i had to remove the
#sops:deccomment and stay with encrypted comments to stay save (you easily overlook such behavior if you secrets file is a little longer).i miss three things:
unencrypted_comment_regexandencrypted_comment_regex)The text was updated successfully, but these errors were encountered: