Code Repository Secrets Management

Transcript

1. Yeong Sheng, Tan [email protected] @yeongsheng Source code secrets management with

   Mozilla SOPS

2. What is the problem? • Multiple application/infrastructure secrets checked into

   code base. • Clunky manual process to overlay configuration secrets for application setup. • Homegrown bespoke tool - limiting options. • Limits ability to automate build, configuration and deployment.

3. Intent: Sharing the tools and processes to modernise secrets management,

   and drive towards safer and automated environment configuration and deployment.

4. 1. Know the risk/s of outdated practices. 2. Basic understanding

   of Key Management solutions (GnuPG, kms, etc). 3. How to use Mozilla SOPS with GnuPG to secure your secrets. 4. See the way forward to weave learnt techniques to achieve automated configuration/deployment pipeline. Desired Outcome

5. Risks • Leaking secrets onto your source code repository and

   then removing them, is just like accidentally posting an embarrassing tweet, deleting it and just hoping no one saw it or took a screenshot. • Data breaches. • Source code is leaky. Repositories can be cloned (think entire history). • Use tools like GitGuardian / GGShield to automate secrets detection in your git repositories.

6. Tools of the Trade • Windows 10 / Ubuntu 20.04

   / CentOS7 • scoop.sh. • GnuPG / Hashicorp Vault / GCP KMS. • Mozilla SOPs. • Your preferred scripting language e.g. Powershell / docker.

7. What is scoop.sh? • Package management in Windows 10 similar

   to chocolatey / apt-get / yum / homebrew, etc. • CLI driven => path towards automation (scriptable). • Supports root / admin privilege script execution via ‘sudo’ in Microsoft Windows environment. • DEMO...

8. What is GnuPG? • GNU Privacy Guard === GnuPG ===

   gpg. • Asymmetric public key cryptography. • Identity signature to sign emails, files, git commits, etc. • Poor man’s file encryption/decryption. • Quick secure way to get started. • DEMO...

9. What is Mozilla SOPS? • SOPS is an editor of

   encrypted files that supports YAML, JSON, ENV, INI and BINARY formats. • Encrypts with GnuPGP and can also be upgraded to work with AWS KMS, GCP KMS, Azure Key Vault. • Works well to support team development. • Can be integrated into CI systems and automation tooling from powershell to bash/zsh in Microsoft Windows OS and Linux/BSD/macOS. • DEMO...

10. Feedback Q&A

11. What next: 1. Add GnuPG and SOPS into your CI

    pipeline. 2. `sops --decrypt` is your friend to overlay and deploy production configuration files to your target environment. 3. Mature into Hashicorp Vault or GCP KMS to manage / store keys instead of local gpg keys. 4. Mature into using configuration management tools to automate entire pipeline, together with SOPS + GnuPG / KMS.

12. Thank you for your time and kind patience