Success ! Data written to: sops/keys/firstkey $ vault write sops/keys/firstkey type=rsa-4096 Success ! Enabled the transit secrets engine at: sops/ $ vault secrets enable -path=sops transit $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for sops, in which it is possible to have multiple keys with various permission levels) $ # to check if Vault started and is configured correctlyĬluster ID e532e461-e8f0-1352-8a41-fc7c11096908 $ # this may not be necessary in case you previously used `vault login` for production use $ # Substitute this with the address Vault is running on To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) For instructions on how to deploy a secure instance of Vault, refer to Hashicorp's official documentation. We assume you have an instance (or more) of Vault running and you have privileged access to it. Now you can encrypt a file using: $ sops -encrypt -azure-kv test.yaml > $ az keyvault key show -name sops-key -vault-name $keyvault_name -query key.kid $ az keyvault set-policy -name $keyvault_name -resource-group sops-rg -spn $AZURE_CLIENT_ID \ $ az keyvault key create -name sops-key -vault-name $keyvault_name -protection software -ops encrypt decrypt $ az keyvault create -name $keyvault_name -resource-group sops-rg -location westeurope $ keyvault_name=sops- $(uuidgen | tr -d - | head -c 16 ) # Create a Vault, a key, and give the service principal access: # Key Vault names are globally unique, so generate one: $ az group create -name sops-rg -location westeurope # Create a resource group if you do not have one:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |