@@ -596,13 +596,63 @@ You can also configure HuaweiCloud KMS keys in the ``.sops.yaml`` config file:
596596 hckms:
597597 - tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
598598
599+ Encrypting using Tencent Cloud KMS
600+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
601+
602+ The Tencent Cloud KMS integration requires credentials to be provided through
603+ environment variables:
604+
605+ .. code:: bash
606+
607+ export TENCENTCLOUD_SECRET_ID="your-secret-id"
608+ export TENCENTCLOUD_SECRET_KEY="your-secret-key"
609+ # Optional: for temporary credentials (STS)
610+ export TENCENTCLOUD_TOKEN="your-sts-token"
611+ # Optional: specify region (default: ap-guangzhou)
612+ export TENCENTCLOUD_REGION="ap-guangzhou"
613+ # Optional: custom KMS endpoint (default: kms.tencentcloudapi.com)
614+ # For CVM or TKE environments, use the internal endpoint for better performance:
615+ # export TENCENTCLOUD_KMS_ENDPOINT="kms.internal.tencentcloudapi.com"
616+ export TENCENTCLOUD_KMS_ENDPOINT="kms.tencentcloudapi.com"
617+
618+ Encrypting/decrypting with Tencent Cloud KMS requires a KMS key ID. You can get
619+ the key ID from the Tencent Cloud console or using the Tencent Cloud API.
620+
621+ Now you can encrypt a file using:
622+
623+ .. code:: sh
624+
625+ $ sops encrypt --tencent-kms xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.yaml > test.enc.yaml
626+
627+ Or using the environment variable:
628+
629+ .. code:: sh
630+
631+ $ export SOPS_TENCENT_KMS_IDS="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
632+ $ sops encrypt test.yaml > test.enc.yaml
633+
634+ And decrypt it using:
635+
636+ .. code:: sh
637+
638+ $ sops decrypt test.enc.yaml
639+
640+ You can also configure Tencent Cloud KMS keys in the ``.sops.yaml`` config file:
641+
642+ .. code:: yaml
643+
644+ creation_rules:
645+ - path_regex: \.tencent\.yaml$
646+ tencent_kms:
647+ - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
648+
599649Adding and removing keys
600650~~~~~~~~~~~~~~~~~~~~~~~~
601651
602652When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the
603- command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` or ``--azure-kv``, or from
653+ command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms``, ``--tencent-kms`` or ``--azure-kv``, or from
604654the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``,
605- ``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
655+ ``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_TENCENT_KMS_IDS``, `` SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
606656``sops`` section, such that decrypting files does not require providing those
607657parameters again.
608658
@@ -646,9 +696,9 @@ disabled by supplying the ``-y`` flag.
646696
647697The ``rotate`` command generates a new data encryption key and reencrypt all values
648698with the new key. At the same time, the command line flag ``--add-kms``, ``--add-pgp``,
649- ``--add-gcp-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
650- ``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
651- the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` and ``--azure-kv``
699+ ``--add-gcp-kms``, ``--add-hckms``, ``--add-tencent-kms``, ``--add- azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
700+ ``--rm-hckms``, ``--rm-tencent-kms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
701+ the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms``, ``--tencent-kms`` and ``--azure-kv``
652702arguments when creating new files.
653703
654704Use ``updatekeys`` if you want to add a key without rotating the data key.
@@ -824,7 +874,7 @@ stdout.
824874Using .sops.yaml conf to select KMS, PGP and age for new files
825875~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
826876
827- It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--hckms`` ``--pgp`` and ``--age`` parameters for creation
877+ It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--hckms`` ``--tencent-kms`` ``-- pgp`` and ``--age`` parameters for creation
828878of all new files. If your secrets are stored under a specific directory, like a
829879``git`` repository, you can create a ``.sops.yaml`` configuration file at the root
830880directory to define which keys are used for which filename.
@@ -870,6 +920,10 @@ can manage the three sets of configurations for the three types of files:
870920 - path_regex: \.hckms\.yaml$
871921 hckms: tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
872922
923+ # tencent_kms files using Tencent Cloud KMS
924+ - path_regex: \.tencent\.yaml$
925+ tencent_kms: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
926+
873927 # Finally, if the rules above have not matched, this one is a
874928 # catchall that will encrypt the file using KMS set C as well as PGP
875929 # The absence of a path_regex means it will match everything
@@ -1875,6 +1929,15 @@ To directly specify a single key group, you can use the following keys:
18751929 - tr-west-1:abc12345-6789-0123-4567-890123456789
18761930 - tr-west-1:def67890-1234-5678-9012-345678901234
18771931
1932+ * ``tencent_kms`` (list of strings): list of Tencent Cloud KMS key IDs.
1933+ Example:
1934+
1935+ .. code:: yaml
1936+
1937+ creation_rules:
1938+ - tencent_kms:
1939+ - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
1940+
18781941To specify a list of key groups, you can use the following key:
18791942
18801943* ``key_groups`` (list of key group objects): a list of key group objects.
@@ -1904,6 +1967,8 @@ To specify a list of key groups, you can use the following key:
19041967 - http://my.vault/v1/sops/keys/secondkey
19051968 hckms:
19061969 - tr-west-1:abc12345-6789-0123-4567-890123456789
1970+ tencent_kms:
1971+ - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
19071972
19081973 merge:
19091974 - pgp:
@@ -1992,6 +2057,17 @@ A key group supports the following keys:
19922057
19932058 - key_id: tr-west-1:abc12345-6789-0123-4567-890123456789
19942059
2060+ * ``tencent_kms`` (list of objects): list of Tencent Cloud KMS key IDs.
2061+ Every object must have the following key:
2062+
2063+ * ``key_id`` (string): the key ID.
2064+
2065+ Example:
2066+
2067+ .. code:: yaml
2068+
2069+ - key_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2070+
19952071* ``age`` (list of strings): list of Age public keys.
19962072
19972073* ``pgp`` (list of strings): list of PGP/GPG key fingerprints.
0 commit comments