Skip to content

Mozilla SOPS Key

Service Name: Mozilla SOPS (Secrets OPerationS)

Service Description: Mozilla SOPS is an open-source editor for encrypted files that supports YAML, JSON, ENV, INI, and BINARY formats. It encrypts specific values within a file rather than the entire file, making it easier to manage and track changes to encrypted content.

Service Address: https://github.com/mozilla/sops

Validation Type: Unavailable

IP Allow list: Does not exist

Secret Access Scope: Grants ability to decrypt files encrypted with SOPS using various key management services (AWS KMS, GCP KMS, Azure Key Vault, age, or PGP).

Secret Revokement URL: Does not exist (depends on the underlying key management service used)

Secret Example: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

Suspicious Activity Investigation Instructions:

  • Review version control history for unauthorized changes to encrypted files
  • Check access logs of the underlying key management service (AWS KMS, GCP KMS, etc.)
  • Verify if any encrypted files have been decrypted without authorization
  • Examine audit logs for unusual patterns of file access or decryption attempts
  • Monitor for unexpected changes to the .sops.yaml configuration file

Mitigation Instructions:

  • Rotate the underlying encryption keys in the respective key management

service

  • Update the .sops.yaml configuration file to use new keys
  • Re-encrypt all affected files with the new keys
  • Revoke access to the compromised keys in your key management service
  • Update CI/CD pipelines and deployment systems to use the new keys
  • Consider implementing stricter access controls on encrypted files
  • Review and update key rotation policies