Security¶
Overview¶
SOPS Operator is designed with security as a primary concern. This page documents security considerations and best practices.
Encryption¶
AGE Encryption¶
SOPS Operator uses AGE encryption, which provides:
- X25519 key exchange - Modern elliptic curve cryptography
- ChaCha20-Poly1305 - Authenticated encryption
- No cloud dependencies - Works entirely offline
SOPS Features¶
The operator leverages SOPS features:
- Message Authentication Code (MAC) - Ensures integrity of encrypted data
- Key rotation support - Rotate keys without re-encrypting all secrets
- Audit trail - SOPS metadata shows encryption details
Key Management¶
Best Practices¶
-
Never commit private keys to Git
-
Use separate keys per environment
-
Store private keys securely
- Use a secrets manager (Vault, AWS Secrets Manager)
-
Or Kubernetes Secrets with RBAC restrictions
-
Rotate keys periodically
RBAC¶
Operator Permissions¶
The operator runs with minimal permissions:
- Only accesses
SopsSecretandSecretresources - Namespace-scoped by default
- No cluster-admin privileges
Recommended User Permissions¶
# Allow creating SopsSecrets but not reading Secrets
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sopssecret-creator
rules:
- apiGroups: ["secrets.scalaric.io"]
resources: ["sopssecrets"]
verbs: ["get", "list", "create", "update", "delete"]
Network Security¶
- Operator makes no outbound network connections
- All decryption happens locally
- No telemetry or data collection
Supply Chain Security¶
Signed Releases¶
All releases are signed with Cosign:
# Verify container image
cosign verify ghcr.io/scalaric/sops-operator:v1.0.0
# Verify release artifacts
cosign verify-blob --signature install.yaml.sig install.yaml
SBOM¶
Software Bill of Materials (SBOM) is published with each release in SPDX format.
Provenance¶
SLSA provenance attestation is attached to release artifacts.
Reporting Vulnerabilities¶
Please report security vulnerabilities via GitHub Security Advisories:
See SECURITY.md for details.