This procedure describes basic setup to use PGP keys with sops-secrets-operator.
Run docker container in the directory of this README file:
docker run --rm -v $( pwd ):/tmp/scripts -ti ubuntu:24.04 bashThen generate PGP keys inside container. PGP key files will remain in the folder after closing container session:
cd /tmp/scripts
./install.sh
makeFollowing files will be generated:
keys.tar.gz- GPG configuration, which can be used to encrypt/decrypt secrets, however the better approach is to use user keys to encrypt secrets, allowing these keys to decrypt secrets within cluster.1.yamland2.yaml- these files should be applied to the namespace wheresops-secrets-operatorwill be deployed via helm chart.
Sourcing keys-env sets up working environment for data encryption:
source ./keys-envAfter sourcing sops can be used to encrypt data, for example:
sops -e -p $FP --encrypted-suffix='Templates' ../../config/samples/isindir_v1alpha3_sopssecret.yaml > example-secrets.enc.yamlThen example-secrets.enc.yaml can be applied to the cluster to create secrets using
sops CR. Resulting keys.tar.gz, 1.yaml and 2.yaml files should be kept secret
itself.