First of all, there are some good and more sophisticated proposals here:
- https://github.com/getsops/sops/issues/1137
- https://github.com/prskr/git-age
- https://github.com/sandorex/age-crypt
- https://github.com/uw-labs/strongbox
This recipe is just a minimal setup that we can get without using additional scripts.
Also, there are some assumptions in place:
- SOPS rules exist already - in
$HOME/.sops.yamlor in the repository - Files will be encoded based on their type, as SOPS usually does, but it may not work for binary files
Setup#
We need these two items in .gitconfig:
1[filter "sops"]
2required = true
3; we decrypt files as usual, without any additional magic, there are no tricks here
4smudge = sops decrypt --filename-override "%f"
5; but enctyption will regenerate the file even if there are no changes,
6; so we need to decrypt the existing file first, and perform the encryption only if decrypted content is different
7clean = bash -c 'c="$(cat -)" && diff <(echo "$c") <(git cat-file -p "HEAD:%f" | sops decrypt --filename-override "%f") >/dev/null 2>&1 && git cat-file -p "HEAD:%f" || (sops encrypt --filename-override "%f" <<<"$c")'
8
9[diff "sops"]
10; and as the last piece, we need to convert the file
11; but as the local file is decrypted already, we need to fail safely to just printing it
12textconv = sh -c 'sops decrypt "$0" 2>/dev/null || cat "$0"'
13cachetextconv = false
Adding files#
So now we can just enable both options for the file to be encrypted in .gitattributes:
1secrets.yaml filter=sops diff=sops
