Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Last updated : Apr 26, 2023
NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
Apr 2023
Trial ?

Our advice when it comes to secrets management has always been to decouple it from source code. However, teams are often presented with a tradeoff between full automation (in the spirit of infrastructure as code) versus a few manual steps (using tools like vaults) for managing, seeding and rotating seed secrets. For instance, our teams use SOPS to manage seed credentials for bootstrapping infrastructure. In some situations, however, it's impossible to remove secrets from legacy code repositories. For such needs, we found Mozilla SOPS to be a good choice for encrypting secrets in text files. SOPS integrates with cloud-managed keystores such as AWS and GCP Key Management Service (KMS) or Azure Key Vault as sources of encryption keys. It also works cross-platform and supports PGP keys.

Oct 2021
Assess ?

Plaintext secrets checked into source control (usually Github) are one of the most pervasive security mistakes developers make. For this reason we thought it useful to feature Mozilla Sops, a tool for encrypting secrets in text files that our developers find useful in situations where it is impossible to remove secrets from legacy code repositories. We've mentioned many tools of this type before (Blackbox, git-crypt), but Sops has several features that set it apart. For example, Sops integrates with cloud-managed keystores such as AWS and GCP Key Management Service (KMS) or Azure Key Vault as sources of encryption keys. It also works cross-platform and supports PGP keys. This enables fine-grained access control to secrets on a file-by-file basis. Sops leaves the identifying key in plain text so that secrets can still be located and diffed by git. We're always supportive of anything that makes it easier for developers to be secure; however, remember that you don't have to keep secrets in source control to begin with. See Decoupling secret management from source code in our November 2017 issue.

Published : Oct 27, 2021

Download the PDF

 

 

English | Español | Português | 中文

Sign up for the Technology Radar newsletter

 

Subscribe now

Visit our archive to read previous volumes