In our current infrastructure for our product platform, we use helmfile for deployments and sops to manage and encrypt secrets across multiple environments. Helmfile provides a streamlined, declarative approach to deploying Helm charts, while sops ensures sensitive data is securely encrypted and stored in version control. By integrating with AWS KMS, sops enables seamless decryption during deployments, maintaining security without hindering access for authorized DevOps engineers. This ensures encrypted secrets are managed efficiently across environments, keeping them secure while remaining accessible for day-to-day operations.

Installing sops locally

Download the sops Binary: First, download the SOPS binary directly to your ~/bin directory. Use the following command:

curl -L -o ~/bin/sops "https://github.com/mozilla/sops/releases/download/3.9.0/sops-3.9.0.linux.amd64"

Make the Binary Executable: After downloading sops, you need to make sure the binary is executable by running:

chmod +x ~/bin/sops

Verify that everything was installed correctly: Check that sops is installed correctly and verify the version with the following command:

sops --version

Configuring SOPS with AWS KMS

Now that SOPS is installed, we’ll configure it to use AWS KMS. SOPS supports KMS across multiple AWS accounts by assuming roles, allowing administrators to establish trust between secure and less secure environments.

Log in to your AWS account and navigate to the KMS (Key Management Service) module. Start by creating a new KMS key by clicking on the Create key button:

Choose the Symmetric key type (for encryption and decryption) and click Next. You can leave all other options as default. In the Regionality section, select whether this will be a Single-Region or Multi-Region key, depending on your current infrastructure setup:

Add an Alias and a Description for your AWS KMS key, then click Next.

Set the administrative and usage permissions (for encrypting/decrypting) the KMS key: