Show: dhall-secret

oyanglulu · November 17, 2022, 8:33am

Hey, just want to showcase a simple cli I made recently, which I’m using very heavily together with dhall-kubernetes to deploy secret, as well as AWS KMS. Hope it can help anyone like me who too looking for the sops alternative that works with dhall expressions.

GitHub - jcouyang/dhall-secret: Manage secrets in dhall config file

It is very straightforward and can encrypt/decrypt AWS KMS and age values in dhall expression with dhall-secret's type, example

$ dhall-secret encrypt <<< 'dhall-secret.AgeDecrypted {PlainText = "hello", Recipients=["age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg"]}'
let dhall-secret =
      https://raw.githubusercontent.com/jcouyang/dhall-secret/master/Type.dhall
        sha256:d7b55a2f433e19cf623d58c339346a604d96989f60cffdecee125a504a068dc9

in  dhall-secret.AgeEncrypted
      { Recipients =
        [ "age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg" ]
      , CiphertextBlob =
          ''
          -----BEGIN AGE ENCRYPTED FILE-----
          YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cXJtTGNodTRKSnN3RFBo
          VUZQUUxjM2I2UnQ2VXJCUlBlRFVtUU52TWdZCklsRmdvRTRoVENyWnZhbDFSSllh
          WXFHeTBaeUE3VE1PTGQvaEJiTkprRm8KLS0tIGk1cENFbEM2NmMvU2h6azlxem5t
          Z0Q0ZFQ5QVdmR2ZNV2RZSnd1cXFQYk0KUcAPHZkamYXmKW/Nk6ZZiXkiI8MN3GJe
          UPGFL70/U1c/ph2s8g==
          -----END AGE ENCRYPTED FILE-----
          ''
      }

Feedback/PR welcome
Thanks

MasseR · February 20, 2023, 8:32am

This is really cool, but one of the important benefits of sops is that it manages keys changing. The teams change, keys gets rotated and you have this combination of .sops.yaml and secrets.yaml that is kept up to date as keys update.

As an alternative to dhall-secret you can use sops as is without additional software:

let Foo = { region : Text, key : Text, secret : Text }

in    { region = "fr-par"
      , key = env:SECRET_KEY as Text
      , secret = env:SECRET_ACCESS as Text
      }
    : Foo

$ sops exec-env secrets.yaml 'dhall <<< ./test.dhall'
{ key = "foo", region = "fr-par", secret = "bar" }