Rationale
Sops is the tool we use for managing most of our organizational secrets like passwords, access keys, PII, among others. It allows us to version encrypted files within our Git repositories in a stateless approach.
The main reasons why we chose it over other alternatives are:
- It is Open source.
- it is Serverless, meaning that it does not require maintaining servers, firewalls, load balancers, or any other typical infrastructure required for common Secrets Engines.
- It supports AWS KMS, which allows to encrypt files using symmetric AES256 keys that only exist within the KMS boundaries, granting almost-impossible key leakage. Access to such keys can be easily managed with a user-level granularity by using AWS IAM.
- It is free. Only costs for decrypting secret files using AWS KMS are incurred.
- As secrets are written as code, it allows software versioning, as encrypted secret files can be securely pushed to git repositories.
- It allows reproducibility and auditability as secrets are versioned.
- It is DevOps friendly, as secret management is now done through Merge Requests, allowing to run CI/CD integrations on the secrets.
- Secret's KMS keys are very easy to rotate.
- It integrates with other services like PGP, Age, GCP KMS, Azure Key Vault, and Hashicorp Vault.
- It supports Yaml, Json, Env, Ini and Binary formats.
Alternatives
The following alternatives were considered but not chosen for the following reasons:
- AWS Secrets Manager: They charge on a per-secret basis. It is a common Secrets Engine, meaning that secrets are not stored as code, losing versioning, auditability, automation and reproducibility capabilities.
- HashiCorp Vault: It did not have a SaaS solution at the time we tried it. We had to maintain the entire service on our Kubernetes cluster. It is a common Secrets Engine, meaning that secrets are not stored as code, losing versioning, auditability, automation and reproducibility capabilities. It only supports automatic rotations for AWS and Twilio every 30 days, meaning that manual rotation is still needed. It tries to generate dynamic AWS credentials from its engine but requires full root static credentials to do so, OIDC via GitLab and SAML via Okta are still better.
- Infisical: It was not a distributed tool like Sops, meaning that it represented a single point of failure. It generated friction as traceability existed outside of the Git repository and forced us to duplicate our AWS authorization model for it to work. It did not support triggering CI/CD pipelines on secret rotations, potentially impacting stability. It was more expensive than Sops as it's pricing model was based on users instead of AWS KMS keys usage. It provided automatic secret rotation for a few tools at the expense of not being able to test if such rotations worked.
- Torus: We used it a few years ago but it got discontinued. One year later they relaunched their service. It is a common Secrets Engine, meaning that secrets are not stored as code, losing versioning, auditability, automation and reproducibility capabilities.
Usage
Used for managing most of our organizational secrets. Some examples are:
- Airs
- Platform
- Makes
- Okta
We do not use Sops for:
- GitLab CI/CD Variables: Although most of the secrets contained here were already migrated, there are still some that need review.
- Automatic secret rotation: As Sops secrets are versioned, automatically rotating them would require to directly push automated commits to our main branches. We have declined to do this until today mainly due to consistency and stability concerns. Secrets that require automatic rotation are kept within our GitLab CI/CD Variables.