SOPS Encryption Key
Service Name: Mozilla SOPS (Secrets OPerationS)
Service Description: SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
Service Address: https://github.com/mozilla/sops
Validation Type: Unavailable
IP Allow list: Does not exist
Secret Access Scope: Grants ability to decrypt files encrypted with SOPS using the corresponding encryption key. The key can be used to decrypt sensitive configuration files, credentials, and other secrets stored in version control systems.
Secret Revokement URL: Does not exist (keys must be rotated manually)
Secret Example: 2ff4a59a-3e0c-4a67-9453-12fcb98d8112
Suspicious Activity Investigation Instructions:
- Review git history and audit logs to see who has accessed encrypted files
- Check for unauthorized file decryption attempts
- Monitor for unexpected changes to encrypted files
- Review access logs for the key management service used (AWS KMS, GCP KMS, Azure Key Vault, etc.)
- Verify if any encrypted secrets have been exposed in plaintext form
Mitigation Instructions:
- Rotate the encryption key by generating a new key
- Re-encrypt all files with the new key
-
Update key references in CI/CD pipelines and other systems
-
Remove the old key from all key management systems
- Update documentation and team members about the key rotation
- If using a cloud KMS service, revoke access to the compromised key
- Consider implementing stricter access controls for encryption keys