Encrypting using STACKIT KMS
The STACKIT KMS integration uses the STACKIT SDK for Go default credential provider chain which tries several authentication methods, in this order:
- Static token or key flow credentials
- Environment variable
STACKIT_SERVICE_ACCOUNT_TOKEN - Credentials file at
~/.stackit/credentials.json - Token flow via service account key
For more details, see the STACKIT KMS documentation.
STACKIT KMS uses a resource ID in the format
projects/<projectId>/regions/<regionId>/keyRings/<keyRingId>/keys/<keyId>/versions/<versionNumber>.
You can list your KMS keys using the STACKIT CLI:
stackit kms key-ring list --project-id PROJECT_ID --region eu01
stackit kms key list --project-id PROJECT_ID --region eu01 --key-ring-id KEYRING_ID
stackit kms key version list --project-id PROJECT_ID --region eu01 --key-ring-id KEYRING_ID --key-id KEY_ID
Now you can encrypt a file using:
$ sops encrypt --stackit-kms projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1 test.yaml > test.enc.yaml
Or using the environment variable:
$ export SOPS_STACKIT_KMS_IDS="projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1"
$ sops encrypt test.yaml > test.enc.yaml
And decrypt it using:
$ sops decrypt test.enc.yaml
You can also configure STACKIT KMS keys in the .sops.yaml config file:
creation_rules:
- path_regex: \.stackit\.yaml$
stackit_kms: projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1