mitigations.md

Mitigation Strategies Analysis for mozilla/sops

Mitigation Strategy: Strict Access Control and Key Rotation for Master Keys (SOPS-Relevant Aspects)

• 1. Mitigation Strategy: Strict Access Control and Key Rotation for Master Keys (SOPS-Relevant Aspects)

  • Description:

    1. SOPS Key Rotation (sops --rotate): After rotating the master key in the underlying KMS (AWS KMS, GCP KMS, Azure Key Vault, etc.) or generating a new PGP key, use the sops --rotate command to re-encrypt all files managed by SOPS with the new key. This is the crucial SOPS-specific step. The command updates the SOPS metadata in the encrypted files to use the new key.
    2. Automated Rotation Script (incorporating SOPS): The automated key rotation script (mentioned in the previous, broader response) must include the sops --rotate command as a core part of the process. The script should:
       • Authenticate to the KMS (or handle PGP key access).
       • Trigger key rotation in the KMS (or generate a new PGP key).
       • Update the .sops.yaml file (if necessary) to reference the new key ID or fingerprint.
       • Execute sops --rotate to re-encrypt all files.
       • Verify successful re-encryption.
       • Revoke the old key (in the KMS) or securely delete the old PGP private key.
    3. Separate Keys Per Environment/Service (SOPS Usage): When creating new SOPS-encrypted files, ensure you are using the correct master key for the intended environment/service. This is done by specifying the appropriate KMS key ARN or PGP key fingerprint when running sops (or as configured in .sops.yaml).

  • Threats Mitigated:

    • Compromise of Master Key: (Severity: Critical) - sops --rotate ensures that even if an old key is compromised, it cannot be used to decrypt files after rotation.
    • Unauthorized Decryption: (Severity: High) - Using separate keys per environment/service, enforced through how sops is invoked, limits the blast radius of a key compromise.

  • Impact:

    • Compromise of Master Key: Risk significantly reduced. sops --rotate is the direct mitigation for this threat within the SOPS workflow.
    • Unauthorized Decryption: Risk reduced. Correct key usage during SOPS encryption operations limits access.

  • Currently Implemented:

    • sops --rotate is used manually after key rotation in AWS KMS.

  • Missing Implementation:

    • The key rotation process, including the sops --rotate command, is not fully automated.

Mitigation Strategy: .sops.yaml Configuration and Usage

• 2. Mitigation Strategy: .sops.yaml Configuration and Usage

  • Description:

    1. Precise creation_rules: The .sops.yaml file directly controls which keys can be used to encrypt and decrypt which files. Use specific path_regex patterns to map files to the appropriate KMS keys or PGP key fingerprints. Avoid overly broad wildcards. This is a core SOPS configuration element.
    2. Key Selection During Encryption: When creating a new encrypted file, SOPS uses the .sops.yaml file to determine which key(s) to use. If .sops.yaml is misconfigured, the wrong key could be used. Therefore, careful configuration and review of .sops.yaml are directly related to SOPS's security.
    3. Using --ignore-mac (Situational): In very specific, advanced scenarios where you need to temporarily bypass the Message Authentication Code (MAC) check (e.g., for debugging or recovery), you can use the --ignore-mac flag with sops. However, this should be used with extreme caution and only when absolutely necessary, as it disables a crucial security check. It should never be used in production. This is a SOPS-specific command-line option.

  • Threats Mitigated:

    • Unauthorized Decryption (via .sops.yaml): (Severity: High) - A misconfigured .sops.yaml could allow decryption with an unintended key.
    • Data Integrity Violation (if --ignore-mac is misused): (Severity: Critical) - Bypassing the MAC check allows for undetected tampering with the encrypted data.

  • Impact:

    • Unauthorized Decryption: Risk significantly reduced. Precise creation_rules in .sops.yaml are the direct control mechanism.
    • Data Integrity Violation: Risk is increased if --ignore-mac is used inappropriately. This flag should be avoided unless absolutely necessary and with full understanding of the risks.

  • Currently Implemented:

    • Reasonably specific creation_rules are used in .sops.yaml.

  • Missing Implementation:

    • --ignore-mac is not explicitly prohibited in developer guidelines (though its use is not common).

Mitigation Strategy: Using SOPS to Decrypt Only Necessary Secrets

• 3. Mitigation Strategy: Using SOPS to Decrypt Only Necessary Secrets

  • Description:

    1. Selective Decryption with --extract: Instead of decrypting an entire file, use the --extract (or -e) option with sops -d to decrypt only specific keys within the file. Example: sops -d --extract '["key1", "key3"]' secrets.yaml. This minimizes the exposure of secrets in memory. This is a core SOPS feature.
    2. Avoid Creating Temporary Decrypted Files: Whenever possible, avoid creating temporary, fully decrypted files on disk. Use --extract to work with individual secrets directly in memory. If temporary files must be created, ensure they are handled securely (as described in the broader list), but the best practice is to avoid them entirely by using SOPS's selective decryption capabilities.

  • Threats Mitigated:

    • Data Remnants in Memory: (Severity: Medium) - By decrypting only necessary secrets, the amount of sensitive data in memory is minimized.
    • Data Remnants on Disk: (Severity: Medium) - Avoiding temporary decrypted files eliminates the risk of recovering secrets from the file system.

  • Impact:

    • Data Remnants in Memory: Risk reduced. --extract is the direct SOPS feature that enables this mitigation.
    • Data Remnants on Disk: Risk significantly reduced (or eliminated if temporary files are avoided entirely).

  • Currently Implemented:

    • Applications are generally designed to use --extract to decrypt only necessary secrets.

  • Missing Implementation:

    • Not applicable, as the strategy is generally followed.