Encryption Strategies for IaC

2 min read Infrastructure & DevOps Security

Encryption Strategies for IaC

Encryption protects secrets within IaC files when external secret management isn't feasible. While not ideal for production use, encryption enables secure secret storage during development or for bootstrap secrets needed to access secret management systems. Multiple encryption approaches exist, each with distinct trade-offs.

Sealed Secrets pattern encrypts secrets using public key cryptography, allowing anyone to encrypt but requiring private keys to decrypt. This asymmetric approach enables developers to add encrypted secrets to repositories without accessing decryption keys. Only authorized systems like CI/CD pipelines possess private keys for decryption during deployment.

# Example using Mozilla SOPS for IaC encryption
# .sops.yaml configuration
creation_rules:
  - path_regex: .*\.enc\.yaml$
    kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
  - path_regex: .*\.enc\.json$
    azure_keyvault: 'https://mykeyvault.vault.azure.net/keys/sops-key/1234567890abcdef'
  - path_regex: .*\.secrets\.yaml$
    pgp: '85D77543B3D624B63CEA9E6DBC17301B491B3F21'

# secrets.enc.yaml - Encrypted file
apiVersion: v1
kind: Secret
metadata:
    name: app-secrets
type: Opaque
data:
    api_key: ENC[AES256_GCM,data:Tr7o=,iv:1=,tag:k=,type:str]
    database_password: ENC[AES256_GCM,data:pX7o=,iv:2=,tag:l=,type:str]
sops:
    kms:
        - arn: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
          created_at: '2023-11-20T10:00:00Z'
          enc: AQICAHh7F5J+...
    lastmodified: '2023-11-20T10:00:00Z'
    mac: ENC[AES256_GCM,data:1qB=,iv:r=,tag:w=,type:str]
    version: 3.7.3

# Terraform integration with SOPS
data "sops_file" "secrets" {
  source_file = "secrets.enc.yaml"
}

locals {
  secret_data = yamldecode(data.sops_file.secrets.raw)
}

resource "kubernetes_secret" "app" {
  metadata {
    name = local.secret_data.metadata.name
  }
  
  data = local.secret_data.data
}

Envelope encryption provides additional security layers by encrypting data encryption keys (DEKs) with key encryption keys (KEKs). This approach enables local encryption using DEKs while storing only encrypted DEKs in IaC files. KEKs remain in secure key management systems, providing centralized key control without exposing them to IaC repositories.