April 22, 2025
Sooner or later you will face the problem to store secrets in your IaC-repo. And maybe you’re also hosting this repo on a public git-Server like codeberg.org. Is it a bad idea to store secrets in plain text in a public repository? Hell yes! But there are a lot of solutions to this problem.
One solution I like to use is SOPS. SOPS itself is not an encryption algorithm or encryption tool itself but rather uses different existing encryption tools like PGP, age, OpenBao/Hashicorp Vault, Azure Key Vault, GCP KMS or AWS KMS to encrypt YAML, JSON, ENV, INI or binary file formats. One thing to keep in mind is that SOPS only encrypts the value part of a key-value pair! This reflects in the use of the before mentioned file formats.
As mentioned, SOPS can use different encryption algorithms. One of those is age, “[..] a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability."
$ age-keygen -o age-key.txt
This will create a file called age-key.txt
that contains the public and private part of your new age encryption key. You can share the public part of your key
much like a public SSH key but more on that later.
In case of a dynamic Ansible inventory, the SOPS module is not of much help here. Due to the fact, that modules are only used at the role or play level, anything before can’t benefit from features of the module.
Blockquote
And bold, italics, and even *italics and later bold*. Even strikethrough. A link to somewhere.
And code highlighting:
var foo = 'bar';
function baz(s) {
return foo + ':' + s;
}
Or inline code like var foo = 'bar';
.
Or an image of bears
The end …