getsops
diff --git a/‎cmd/sops/main.go‎
Lines changed: 81 additions & 12 deletions b/‎cmd/sops/main.go‎
Lines changed: 81 additions & 12 deletions
diff --git a/‎config/config.go‎
Lines changed: 37 additions & 8 deletions b/‎config/config.go‎
Lines changed: 37 additions & 8 deletions
diff --git a/‎go.mod‎
Lines changed: 4 additions & 1 deletion b/‎go.mod‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 8 additions & 2 deletions b/‎go.sum‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎keyservice/keyservice.go‎
Lines changed: 9 additions & 0 deletions b/‎keyservice/keyservice.go‎
Lines changed: 9 additions & 0 deletions
@@ -36,6 +36,7 @@ import (
 	"github.com/getsops/sops/v3/gcpkms"
 	"github.com/getsops/sops/v3/hckms"
 	"github.com/getsops/sops/v3/hcvault"
+	"github.com/getsops/sops/v3/stackitkms"
 	"github.com/getsops/sops/v3/keys"
 	"github.com/getsops/sops/v3/keyservice"
 	"github.com/getsops/sops/v3/kms"
@@ -91,14 +92,14 @@ func main() {
 		},
 	}
 	app.Name = "sops"
-	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, HuaweiCloud KMS, Azure Key Vault, age, and GPG support"
+	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, HuaweiCloud KMS, STACKIT KMS, Azure Key Vault, age, and GPG support"
 	app.ArgsUsage = "sops [options] file"
 	app.Version = version.Version
 	app.Authors = []cli.Author{
 		{Name: "CNCF Maintainers"},
 	}
-	app.UsageText = `sops is an editor of encrypted files that supports AWS KMS, GCP, HuaweiCloud KMS, AZKV,
-	PGP, and Age
+	app.UsageText = `sops is an editor of encrypted files that supports AWS KMS, GCP, HuaweiCloud KMS, STACKIT KMS,
+	AZKV, PGP, and Age
 
    To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
    in the -k flag or in the SOPS_KMS_ARN environment variable.
@@ -117,6 +118,12 @@ func main() {
     HUAWEICLOUD_SDK_AK, HUAWEICLOUD_SDK_SK, HUAWEICLOUD_SDK_PROJECT_ID, or
     use credentials file at ~/.huaweicloud/credentials)
 
+   To encrypt or decrypt a document with STACKIT KMS, specify the
+   STACKIT KMS resource ID in the --stackit-kms flag or in the
+   SOPS_STACKIT_KMS_IDS environment variable.
+   (Authentication is handled by the STACKIT SDK via environment variables,
+    service account key files, or credentials file at ~/.stackit/credentials.json)
+
    To encrypt or decrypt a document with HashiCorp Vault's Transit Secret
    Engine, specify the Vault key URI name in the --hc-vault-transit flag
    or in the SOPS_VAULT_URIS environment variable (for example
@@ -142,12 +149,12 @@ func main() {
    To use multiple KMS or PGP keys, separate them by commas. For example:
        $ sops -p "10F2...0A, 85D...B3F21" file.yaml
 
-   The -p, -k, --gcp-kms, --hckms, --hc-vault-transit, and --azure-kv flags are only
+   The -p, -k, --gcp-kms, --hckms, --stackit-kms, --hc-vault-transit, and --azure-kv flags are only
    used to encrypt new documents. Editing or decrypting existing documents
    can be done with "sops file" or "sops decrypt file" respectively. The KMS and
    PGP keys listed in the encrypted documents are used then. To manage master
-   keys in existing documents, use the "add-{kms,pgp,gcp-kms,hckms,azure-kv,hc-vault-transit}"
-   and "rm-{kms,pgp,gcp-kms,hckms,azure-kv,hc-vault-transit}" flags with --rotate
+   keys in existing documents, use the "add-{kms,pgp,gcp-kms,hckms,stackit-kms,azure-kv,hc-vault-transit}"
+   and "rm-{kms,pgp,gcp-kms,hckms,stackit-kms,azure-kv,hc-vault-transit}" flags with --rotate
    or the updatekeys command.
 
    To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
@@ -582,6 +589,10 @@ func main() {
 							Name:  "hckms",
 							Usage: "the HuaweiCloud KMS key ID (format: region:key-uuid) the new group should contain. Can be specified more than once",
 						},
+						cli.StringSliceFlag{
+							Name:  "stackit-kms",
+							Usage: "the STACKIT KMS resource ID the new group should contain. Can be specified more than once",
+						},
 						cli.StringSliceFlag{
 							Name:  "azure-kv",
 							Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once",
@@ -635,6 +646,15 @@ func main() {
 							}
 							group = append(group, k)
 						}
+						stackitKmsIds := c.StringSlice("stackit-kms")
+						for _, resID := range stackitKmsIds {
+							k, err := stackitkms.NewMasterKey(resID)
+							if err != nil {
+								log.WithError(err).Error("Failed to add key")
+								continue
+							}
+							group = append(group, k)
+						}
 						for _, url := range azkvs {
 							k, err := azkv.NewMasterKeyFromURL(url)
 							if err != nil {
@@ -950,6 +970,11 @@ func main() {
 					Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 					EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 				},
+				cli.StringFlag{
+					Name:   "stackit-kms",
+					Usage:  "comma separated list of STACKIT KMS resource IDs",
+					EnvVar: "SOPS_STACKIT_KMS_IDS",
+				},
 				cli.StringFlag{
 					Name:   "azure-kv",
 					Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1143,6 +1168,14 @@ func main() {
 					Name:  "rm-hckms",
 					Usage: "remove the provided comma-separated list of HuaweiCloud KMS key IDs (format: region:key-uuid) from the list of master keys on the given file",
 				},
+				cli.StringFlag{
+					Name:  "add-stackit-kms",
+					Usage: "add the provided comma-separated list of STACKIT KMS resource IDs to the list of master keys on the given file",
+				},
+				cli.StringFlag{
+					Name:  "rm-stackit-kms",
+					Usage: "remove the provided comma-separated list of STACKIT KMS resource IDs from the list of master keys on the given file",
+				},
 				cli.StringFlag{
 					Name:  "add-azure-kv",
 					Usage: "add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file",
@@ -1209,8 +1242,8 @@ func main() {
 					return toExitError(err)
 				}
 				if _, err := os.Stat(fileName); os.IsNotExist(err) {
-					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
-						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
+					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-stackit-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
+						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-stackit-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
 						return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use the `edit` subcommand instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
 					}
 				}
@@ -1301,6 +1334,11 @@ func main() {
 					Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 					EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 				},
+				cli.StringFlag{
+					Name:   "stackit-kms",
+					Usage:  "comma separated list of STACKIT KMS resource IDs",
+					EnvVar: "SOPS_STACKIT_KMS_IDS",
+				},
 				cli.StringFlag{
 					Name:   "azure-kv",
 					Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1714,6 +1752,11 @@ func main() {
 			Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 			EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 		},
+		cli.StringFlag{
+			Name:   "stackit-kms",
+			Usage:  "comma separated list of STACKIT KMS resource IDs",
+			EnvVar: "SOPS_STACKIT_KMS_IDS",
+		},
 		cli.StringFlag{
 			Name:   "azure-kv",
 			Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1770,6 +1813,14 @@ func main() {
 			Name:  "rm-hckms",
 			Usage: "remove the provided comma-separated list of HuaweiCloud KMS key IDs (format: region:key-uuid) from the list of master keys on the given file",
 		},
+		cli.StringFlag{
+			Name:  "add-stackit-kms",
+			Usage: "add the provided comma-separated list of STACKIT KMS resource IDs to the list of master keys on the given file",
+		},
+		cli.StringFlag{
+			Name:  "rm-stackit-kms",
+			Usage: "remove the provided comma-separated list of STACKIT KMS resource IDs from the list of master keys on the given file",
+		},
 		cli.StringFlag{
 			Name:  "add-azure-kv",
 			Usage: "add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file",
@@ -2235,7 +2286,7 @@ func getEncryptConfig(c *cli.Context, fileName string, inputStore common.Store,
 	}, nil
 }
 
-func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
+func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, stackitKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
 	var masterKeys []keys.MasterKey
 	for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
 		masterKeys = append(masterKeys, k)
@@ -2253,6 +2304,13 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO
 	for _, k := range hckmsKeys {
 		masterKeys = append(masterKeys, k)
 	}
+	stackitKmsKeys, err := stackitkms.NewMasterKeyFromResourceIDString(c.String(stackitKmsOptionName))
+	if err != nil {
+		return nil, err
+	}
+	for _, k := range stackitKmsKeys {
+		masterKeys = append(masterKeys, k)
+	}
 	azureKeys, err := azkv.MasterKeysFromURLs(c.String(azureKvOptionName))
 	if err != nil {
 		return nil, err
@@ -2279,11 +2337,11 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO
 
 func getRotateOpts(c *cli.Context, fileName string, inputStore common.Store, outputStore common.Store, svcs []keyservice.KeyServiceClient, decryptionOrder []string) (rotateOpts, error) {
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
-	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-azure-kv", "add-hc-vault-transit", "add-age")
+	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-stackit-kms", "add-azure-kv", "add-hc-vault-transit", "add-age")
 	if err != nil {
 		return rotateOpts{}, err
 	}
-	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age")
+	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-stackit-kms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age")
 	if err != nil {
 		return rotateOpts{}, err
 	}
@@ -2432,6 +2490,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	var azkvKeys []keys.MasterKey
 	var hcVaultMkKeys []keys.MasterKey
 	var hckmsMkKeys []keys.MasterKey
+	var stackitKmsMkKeys []keys.MasterKey
 	var ageMasterKeys []keys.MasterKey
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
 	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
@@ -2456,6 +2515,15 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 			hckmsMkKeys = append(hckmsMkKeys, k)
 		}
 	}
+	if c.String("stackit-kms") != "" {
+		stackitKmsKeys, err := stackitkms.NewMasterKeyFromResourceIDString(c.String("stackit-kms"))
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range stackitKmsKeys {
+			stackitKmsMkKeys = append(stackitKmsMkKeys, k)
+		}
+	}
 	if c.String("azure-kv") != "" {
 		azureKeys, err := azkv.MasterKeysFromURLs(c.String("azure-kv"))
 		if err != nil {
@@ -2488,7 +2556,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 			ageMasterKeys = append(ageMasterKeys, k)
 		}
 	}
-	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
+	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("stackit-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
 		conf := optionalConfig
 		var err error
 		if conf == nil {
@@ -2508,6 +2576,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	group = append(group, kmsKeys...)
 	group = append(group, cloudKmsKeys...)
 	group = append(group, hckmsMkKeys...)
+	group = append(group, stackitKmsMkKeys...)
 	group = append(group, azkvKeys...)
 	group = append(group, pgpKeys...)
 	group = append(group, hcVaultMkKeys...)
 
@@ -19,6 +19,7 @@ import (
 	"github.com/getsops/sops/v3/hcvault"
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
+	"github.com/getsops/sops/v3/stackitkms"
 	"github.com/getsops/sops/v3/publish"
 	"go.yaml.in/yaml/v3"
 )
@@ -130,14 +131,15 @@ type configFile struct {
 }
 
 type keyGroup struct {
-	Merge   []keyGroup   `yaml:"merge"`
-	KMS     []kmsKey     `yaml:"kms"`
-	GCPKMS  []gcpKmsKey  `yaml:"gcp_kms"`
-	HCKms   []hckmsKey   `yaml:"hckms"`
-	AzureKV []azureKVKey `yaml:"azure_keyvault"`
-	Vault   []string     `yaml:"hc_vault"`
-	Age     []string     `yaml:"age"`
-	PGP     []string     `yaml:"pgp"`
+	Merge     []keyGroup      `yaml:"merge"`
+	KMS       []kmsKey        `yaml:"kms"`
+	GCPKMS    []gcpKmsKey     `yaml:"gcp_kms"`
+	HCKms     []hckmsKey      `yaml:"hckms"`
+	StackitKms []stackitKmsKey `yaml:"stackit_kms"`
+	AzureKV   []azureKVKey    `yaml:"azure_keyvault"`
+	Vault     []string        `yaml:"hc_vault"`
+	Age       []string        `yaml:"age"`
+	PGP       []string        `yaml:"pgp"`
 }
 
 type gcpKmsKey struct {
@@ -161,6 +163,10 @@ type hckmsKey struct {
 	KeyID string `yaml:"key_id"`
 }
 
+type stackitKmsKey struct {
+	ResourceID string `yaml:"resource_id"`
+}
+
 type destinationRule struct {
 	PathRegex        string       `yaml:"path_regex"`
 	S3Bucket         string       `yaml:"s3_bucket"`
@@ -183,6 +189,7 @@ type creationRule struct {
 	PGP                     interface{} `yaml:"pgp"`     // string or []string
 	GCPKMS                  interface{} `yaml:"gcp_kms"` // string or []string
 	HCKms                   []string    `yaml:"hckms"`
+	StackitKms              interface{} `yaml:"stackit_kms"` // string or []string
 	AzureKeyVault           interface{} `yaml:"azure_keyvault"`       // string or []string
 	VaultURI                interface{} `yaml:"hc_vault_transit_uri"` // string or []string
 	KeyGroups               []keyGroup  `yaml:"key_groups"`
@@ -213,6 +220,10 @@ func (c *creationRule) GetGCPKMSKeys() ([]string, error) {
 	return parseKeyField(c.GCPKMS, "gcp_kms")
 }
 
+func (c *creationRule) GetStackitKmsKeys() ([]string, error) {
+	return parseKeyField(c.StackitKms, "stackit_kms")
+}
+
 func (c *creationRule) GetAzureKeyVaultKeys() ([]string, error) {
 	return parseKeyField(c.AzureKeyVault, "azure_keyvault")
 }
@@ -343,6 +354,13 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 		}
 		keyGroup = append(keyGroup, key)
 	}
+	for _, k := range group.StackitKms {
+		key, err := stackitkms.NewMasterKey(k.ResourceID)
+		if err != nil {
+			return nil, err
+		}
+		keyGroup = append(keyGroup, key)
+	}
 	for _, k := range group.AzureKV {
 		if key, err := azkv.NewMasterKeyWithOptionalVersion(k.VaultURL, k.Key, k.Version); err == nil {
 			keyGroup = append(keyGroup, key)
@@ -423,6 +441,17 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range hckmsMasterKeys {
 			keyGroup = append(keyGroup, k)
 		}
+		stackitKmsKeys, err := getKeysWithValidation(cRule.GetStackitKmsKeys, "stackit_kms")
+		if err != nil {
+			return nil, err
+		}
+		stackitKmsMasterKeys, err := stackitkms.NewMasterKeyFromResourceIDString(strings.Join(stackitKmsKeys, ","))
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range stackitKmsMasterKeys {
+			keyGroup = append(keyGroup, k)
+		}
 		azKeys, err := getKeysWithValidation(cRule.GetAzureKeyVaultKeys, "azure_keyvault")
 		if err != nil {
 			return nil, err
 
@@ -32,6 +32,8 @@ require (
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.4
+	github.com/stackitcloud/stackit-sdk-go/core v0.22.0
+	github.com/stackitcloud/stackit-sdk-go/services/kms v1.3.2
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli v1.22.17
 	go.yaml.in/yaml/v3 v3.0.4
@@ -103,7 +105,8 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-yaml v1.9.8 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
 
@@ -184,8 +184,10 @@ github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9L
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-yaml v1.9.8 h1:5gMyLUeU1/6zl+WFfR1hN7D2kf+1/eRGa7DFtToiBvQ=
 github.com/goccy/go-yaml v1.9.8/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -318,6 +320,10 @@ github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
 github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
+github.com/stackitcloud/stackit-sdk-go/core v0.22.0 h1:6rViz7GnNwXSh51Lur5xuDzO8EWSZfN9J0HvEkBKq6c=
+github.com/stackitcloud/stackit-sdk-go/core v0.22.0/go.mod h1:osMglDby4csGZ5sIfhNyYq1bS1TxIdPY88+skE/kkmI=
+github.com/stackitcloud/stackit-sdk-go/services/kms v1.3.2 h1:2ulSL2IkIAKND59eAjbEhVkOoBMyvm48ojwz1a3t0U0=
+github.com/stackitcloud/stackit-sdk-go/services/kms v1.3.2/go.mod h1:cuIaMMiHeHQsbvy7BOFMutoV3QtN+ZBx7Tg3GmYUw7s=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 
@@ -15,6 +15,7 @@ import (
 	"github.com/getsops/sops/v3/keys"
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
+	"github.com/getsops/sops/v3/stackitkms"
 )
 
 // KeyFromMasterKey converts a SOPS internal MasterKey to an RPC Key that can be serialized with Protocol Buffers
@@ -87,6 +88,14 @@ func KeyFromMasterKey(mk keys.MasterKey) Key {
 				},
 			},
 		}
+	case *stackitkms.MasterKey:
+		return Key{
+			KeyType: &Key_StackitKmsKey{
+				StackitKmsKey: &StackitKmsKey{
+					ResourceId: mk.ResourceID,
+				},
+			},
+		}
 	default:
 		panic(fmt.Sprintf("Tried to convert unknown MasterKey type %T to keyservice.Key", mk))
 	}