ExSopsy

Sopsy is a pragmatic wrapper around Mozilla SOPS allowing decryption of secrets at runtime.

The goal of the library is to offer a simple solution for bringing encrypted secrets into your Elixir application, especially suited for self-hosting (VPS) and easy-to-manage environments (e.g. doesn't require a Vault or a managed service)

Requirements

• Mozilla SOPS CLI must be installed on the system and available in the PATH.
• The Elixir application must have read access to the SOPS encrypted file.
• Use environment variables or .sops.yaml configuration file to configure the sops binary as needed.

Usage

You can call ExSopsy.load_secrets passing a path to a SOPS encrypted file and the format of the file. If decryption is successful, the function returns a tuple {:ok, Map.t} with the decrypted secret keys.

# config/runtime.exs
if config_env() == :prod do
  case ExSopsy.load_secrets("priv/secrets.enc.json", :json) do
    {:ok, secrets} ->
      config :my_app, MyApp.Repo,
        username: secrets["db_user"],
        password: secrets["db_password"]

      config :my_app, MyAppWeb.Endpoint,
        secret_key_base: secrets["secret_key_base"]

    {:error, reason} ->
      raise "Failed to load secrets: #{inspect(reason)}"
  end
end

The library is usable from any module in the application.

Installation

If available in Hex, the package can be installed by adding ex_sopsy to your list of dependencies in mix.exs:

def deps do
  [
    {:ex_sopsy, "~> 0.1.0"}
  ]
end

Documentation can be generated with ExDoc and published on HexDocs. Once published, the docs can be found at https://hexdocs.pm/ex_sopsy.