Karl PoeI think I've said it before, but I damn love SOPS + AGE combo for storing secrets in GIT.
Dominykas BlyΕΎΔ@karlpoe@infosec.exchange I haven't seen you say that before, but SOPS is really nice. Slow, a bit underdesigned as an API, but nice. Only used it with GPG and KMS. Need to go grok age...
Karl Poe@dominykas@fosstodon.org KMS is probably more secure and saner as you don't have to worry about key management, but I'm working on a project where using KMS is not feasible. Age even supports using SSH keys, but that's a bit flaky with SOPS at the moment.
Dominykas BlyΕΎΔ@karlpoe@infosec.exchange well, with KMS you don't have to worry, but you also have no idea what's actually under the hood and who has the keys, so that can be a bit of a problem.
Karl Poe@dominykas@fosstodon.org yeah, or like in the case of the last GCP outage, you can be left locked out because KMS wasn't working either. So it kinda makes sense to add AGE key (in addition to KMS) to your .sops.yaml and store it somewhere safely for break glass scenarios.