SOPS Key Management Practices

Advanced

Manage SOPS encryption keys securely — use cloud KMS for production, age keys for development, implement key rotation, and maintain proper access controls per environment.

File Patterns

**/.sops.yaml**/*.enc.*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# SOPS Key Management Practices

## Rule
Production MUST use cloud KMS (AWS, GCP, Azure). Development MAY use age keys. Implement key rotation quarterly. Maintain separate keys per environment with distinct access policies.

## Key Provider Hierarchy
| Environment | Provider | Rotation | Access |
|-------------|----------|----------|--------|
| Production | AWS KMS / GCP KMS | Quarterly | IAM restricted |
| Staging | AWS KMS / GCP KMS | Quarterly | Team-wide |
| Development | age | Annual | Individual |
| CI/CD | AWS KMS + IAM role | Auto | Service account |

## Good Examples
```yaml
# .sops.yaml — multi-provider setup
creation_rules:
  # Production: AWS KMS with automatic rotation
  - path_regex: secrets/prod/.*
    kms: "arn:aws:kms:us-east-1:123456789:key/prod-key"
    # KMS key has automatic rotation enabled

  # Staging: separate KMS key
  - path_regex: secrets/staging/.*
    kms: "arn:aws:kms:us-east-1:123456789:key/staging-key"

  # Development: age key (no cloud dependency)
  - path_regex: secrets/dev/.*
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p,
      age1abc...second-developer-key
```

```bash
# Generate age key for development
age-keygen -o ~/.config/sops/age/keys.txt

# Rotate SOPS encryption to new key
sops --rotate --in-place \
  --add-kms "arn:aws:kms:us-east-1:123456789:key/new-key" \
  --rm-kms "arn:aws:kms:us-east-1:123456789:key/old-key" \
  secrets/production.enc.yaml

# Add a new team member's age key
sops --rotate --in-place \
  --add-age "age1newmemberkey..." \
  secrets/dev.enc.yaml
```

## Bad Examples
```bash
# BAD: PGP keys in production (complex key management)
sops --pgp "FINGERPRINT" secrets.yaml
# Use cloud KMS instead

# BAD: Sharing a single age key across the team
# If one person's laptop is compromised, all secrets are exposed

# BAD: No key rotation
# Same key used for 3 years — no rotation plan
```

## Enforcement
- Quarterly key rotation with automated SOPS rotate command
- IAM policies restricting KMS key access per environment
- Audit KMS key usage with CloudTrail
- Document key custodians and rotation schedule

FAQ

Discussion

Loading comments...

# SOPS Key Management Practices ## Rule Production MUST use cloud KMS (AWS, GCP, Azure). Development MAY use age keys. Implement key rotation quarterly. Maintain separate keys per environment with distinct access policies. ## Key Provider Hierarchy | Environment | Provider | Rotation | Access | |-------------|----------|----------|--------| | Production | AWS KMS / GCP KMS | Quarterly | IAM restricted | | Staging | AWS KMS / GCP KMS | Quarterly | Team-wide | | Development | age | Annual | Individual | | CI/CD | AWS KMS + IAM role | Auto | Service account | ## Good Examples ```yaml # .sops.yaml — multi-provider setup creation_rules: # Production: AWS KMS with automatic rotation - path_regex: secrets/prod/.* kms: "arn:aws:kms:us-east-1:123456789:key/prod-key" # KMS key has automatic rotation enabled # Staging: separate KMS key - path_regex: secrets/staging/.* kms: "arn:aws:kms:us-east-1:123456789:key/staging-key" # Development: age key (no cloud dependency) - path_regex: secrets/dev/.* age: >- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p, age1abc...second-developer-key ``` ```bash # Generate age key for development age-keygen -o ~/.config/sops/age/keys.txt # Rotate SOPS encryption to new key sops --rotate --in-place \ --add-kms "arn:aws:kms:us-east-1:123456789:key/new-key" \ --rm-kms "arn:aws:kms:us-east-1:123456789:key/old-key" \ secrets/production.enc.yaml # Add a new team member's age key sops --rotate --in-place \ --add-age "age1newmemberkey..." \ secrets/dev.enc.yaml ``` ## Bad Examples ```bash # BAD: PGP keys in production (complex key management) sops --pgp "FINGERPRINT" secrets.yaml # Use cloud KMS instead # BAD: Sharing a single age key across the team # If one person's laptop is compromised, all secrets are exposed # BAD: No key rotation # Same key used for 3 years — no rotation plan ``` ## Enforcement - Quarterly key rotation with automated SOPS rotate command - IAM policies restricting KMS key access per environment - Audit KMS key usage with CloudTrail - Document key custodians and rotation schedule