File encryption functionality for storing encrypted files using k8t would be very similar to "ansible-vault" and how "ansible" works.
Not every file needs to be encrypted but if there is something that needs to be encrypted while the data is at-rest. This feature can be super useful.
- For the encrypted files, k8t would "automatically" decrypt the encrypted ".yaml.j2.enc" files in "memory" while generating the final "yaml" with "k8t gen -e production". If the file doesn't end with ".enc", it wouldn't decrypt, it would just the file as-is.
so that we could use a command like this below to run final "yaml" file on kubectl without revealing the decrypted files anywhere on the disk since everything would be done in-memory:
k8t gen -e production | kubectl apply -f -
There would be three commands for editing or viewing encrypted files if any manual operation is needed without "generating" anything with "k8t gen" or when we need to edit files
- k8t-vault init ~/.my-secrets/k8t-key
# creates the initial key that would be used for all the k8t-vault and k8t operations.
- that key's location can be provided in config.yml. k8t wouldn't be able to decrypt and do "k8t gen" without the key existing in that location
- k8t-vault encrypt ./repository/filename.yaml
- k8t-vault edit ./repository/filename.yaml.enc
#opens the default text editor "vi", "nano" by decrypting into a tmp directory and then encrypting and putting back to "./repository/filename.yaml.enc" and deleting the decrypted file in that tmp directory on save.
- k8t-vault decrypt ./repository/filename.yaml.enc
With that encryption key "k8t" created once at first while initializing the k8t directory, the developers can share that key outside of the git repository(through encrypted e-mail, slack, or any other secure methods).
That key can be used by anyone who pulls the git repo of the project and let them decrypt those files automatically while using k8t-gen to create final "yaml" files
Other than that, files would stay encrypted while the data is at-rest on git repositories and would look like this:
---some-secret.j2.yaml.enc:
$ANSIBLE_VAULT;1.1;AES256
62313365396662343061393464336163383764373764613633653634306231386433626436623361
6134333665353966363534333632666535333761666131620a663537646436643839616531643561
63396265333966386166373632626539326166353965363262633030333630313338646335303630
3438626666666137650a353638643435666633633964366338633066623234616432373231333331
6564
Example from ansible but "ANSIBLE_VAULT" can become "K8T_VAULT" as an identifier for this feature.
Whenever any of the encrypted files are pushed to a git repository, they would be pushed encrypted.
File encryption functionality for storing encrypted files using k8t would be very similar to "ansible-vault" and how "ansible" works.
Not every file needs to be encrypted but if there is something that needs to be encrypted while the data is at-rest. This feature can be super useful.
so that we could use a command like this below to run final "yaml" file on kubectl without revealing the decrypted files anywhere on the disk since everything would be done in-memory:
k8t gen -e production | kubectl apply -f -There would be three commands for editing or viewing encrypted files if any manual operation is needed without "generating" anything with "k8t gen" or when we need to edit files
# creates the initial key that would be used for all the k8t-vault and k8t operations.#opens the default text editor "vi", "nano" by decrypting into a tmp directory and then encrypting and putting back to "./repository/filename.yaml.enc" and deleting the decrypted file in that tmp directory on save.With that encryption key "k8t" created once at first while initializing the k8t directory, the developers can share that key outside of the git repository(through encrypted e-mail, slack, or any other secure methods).
That key can be used by anyone who pulls the git repo of the project and let them decrypt those files automatically while using k8t-gen to create final "yaml" files
Other than that, files would stay encrypted while the data is at-rest on git repositories and would look like this:
Example from ansible but "ANSIBLE_VAULT" can become "K8T_VAULT" as an identifier for this feature.
Whenever any of the encrypted files are pushed to a git repository, they would be pushed encrypted.