dotnet-sops is a .NET tool for securely storing and sharing user-secrets with all your team members.
It utilizes SOPS under the hood to encrypt and decrypt secrets, thereby supporting all key types supported by SOPS: Azure Key Vault, AWS KMS, GCP KMS, HashiCorp Vault, age, and PGP.
When secrets are decrypted using
dotnet sops decryptthey are stored in plain, unencrypted text that can be loaded by the user-secrets tool.Remove plaintext by running
dotnet user-secrets clearand usedotnet sops runto load secrets into the environment.
dotnet-sops was developed to address the security risks posed by plain-text secrets in Git repositories. It offers a streamlined solution, integrating with SOPS encryption, to enable secure management and sharing of development secrets within the .NET ecosystem.
Run the following commands to install the tool:
dotnet new tool-manifest
dotnet tool install dotnet-sopsThis will write the .config/dotnet-tools.json file with version of the tool used. Add this file to source control. Your team members can then run the follwing command to install the same version of the tool:
dotnet tool restoreRun the following commands to install the tool globally:
dotnet tool install dotnet-sops --global# Follow the text wizard to create .sops.yaml configuration file. (Only the first time)
dotnet sops init
# Download SOPS executable. (Only the first time)
dotnet sops download-sops
# Generate UserSecretId for dotnet project. Skip if already have it setup. (Only the first time)
dotnet user-secrets init
# Add an example secret to user-secrets. (Only for new secrets)
dotnet user-secrets set "MyApi:ApiKey" "MySuperSecretApiKeyValue"
# Encrypt user-secrets to the secrets.json file.
dotnet sops encrypt
# Clear secrets from user-secrets.
dotnet user-secrets clear
# Run 'dotnet run' with decrypted secrets injected into the environment.
dotnet sops run
# Decrypt secrets.json to user-secrets.
dotnet sops decryptFor more information on how to use user-secrets to add secrets, refer to Safe storage of app secrets in development in ASP.NET Core
Initiate the prompt to create a valid .sops.yaml configuration file:
dotnet sops initIf you don't have SOPS in your PATH, you can download SOPS from https://github.com/getsops/sops using the follwing command:
dotnet sops download-sopsThe downloaded SOPS executable has its SHA-512 checksum verified. This version of SOPS will be used by the encrypt and decrypt commands.
Encrypt existing .NET user secrets.
dotnet sops encryptThis will create a secrets.json file that can be shared with other team members working on your project.
Decrypt a secrets.json file into .NET user secrets.
dotnet sops decryptRun dotnet run with secrets from secrets.json injected into the environment.
dotnet sops rundotnet sops run accepts the same arguments and options as dotnet run.
All commands support the --help option:
# List all commands
dotnet sops --help
# List all options for encryption
dotnet sops encrypt --helpThe .sops.yaml configuration file is used to inform SOPS how to handle encryption and decryption. The content should define a creation_rules for the secrets.json path.
The following command can be used to help create a vaild .sops.yaml:
dotnet sops initYou can also create and edit the .sops.yaml file yourself. Refer to the SOPS documentation for more information.
Usage with age key:
creation_rules:
- path_regex: secrets.json
age: age1Only decryption is possible for user with the private key.
Refer to the SOPS documentation to learn how SOPS accesses age private keys.
If more people should have access, then mulitple public age keys can be specified:
creation_rules:
- path_regex: secrets.json
age: age1,age2This requires user access to the age1 or age2 private key.
Usage with Azure Key Vault key:
creation_rules:
- path_regex: secrets.json
azure_keyvault: https://my-key-vault-name.vault.azure.net/keys/my-key-name/my-key-versionUsers should be assigned the encrypt and decrypt rights for the key vault.
SOPS can also be configured to require access to more than one key. This can be achieved by using key groups in the configuration. Refer to the SOPS key group dokumentation for more information.
Example using three key groups:
creation_rules:
- path_regex: secrets.json
key_groups:
- pgp: # Key group 1
- fingerprint1
age:
- age1
- pgp: # Key group 2
- fingerprint2
- age: # Key group 3
- age2This requires that the user has access to all three key groups. For key group 1, it requires the user to have access to either fingerprint1 or age1.
Refer to the contributing guide for detailed instructions on how to contribute to dotnet-sops.