Is it possible to prevent a user from decrypting a file but still allow encryption to take place?

[davidchua]

Hi all,

Is it possible to allow changes to an encrypted file without the user needing to decrypt the file?

Context is I'm looking to provide a way for my team to self-service in adding or updating new key values (secrets) without them having the access to decrypt the entire file.

eg. in a encrypted file like this:

# encrypted.yaml
database_url: ENC[AES256_GCM,data:abjfYYcJwUe4jUEs1wUnNOZNeks=,iv:4W1rbcMc0ZbNNX2Kpv0I4CDPaTXvR2IYTDjfWUyCTMI=,tag:cHrHwrTYpu81BPwuErqzXw==,type:str]
slack_api_key: ENC[AES256_GCM,data:5zxY5FssjZTLmd4=,iv:clHf4zWW1fULRszAIlSsKc/ZF+M6fvpWNpW1dM3duPc=,tag:tOkFVHNqOn/TXEG/A/2uYg==,type:str]
sops:
  ...

I want a user to be able to either add a new key, or modify an existing one like:

database_url: new_value
slack_api_key: ENC[AES256_GCM,data:5zxY5FssjZTLmd4=,iv:clHf4zWW1fULRszAIlSsKc/ZF+M6fvpWNpW1dM3duPc=,tag:tOkFVHNqOn/TXEG/A/2uYg==,type:str]
a_very_new_key: value
sops:
  ...

and then running through sops -e encrypted.yaml will re-encrypt the file, avoiding the lines which has already been encrypted.

Currently there doesn't seem to be a way to re-encrypt as sops -e encrypted.yaml will return an error

The file you have provided contains a top-level entry called 'sops'. This
is generally due to the file already being encrypted. SOPS uses a top-level
entry called 'sops' to store the metadata required to decrypt the file. For
this reason, SOPS can not encrypt files that already contain such an entry.

I'm wondering if there's any known solutions/workarounds to this or how would you approach this problem?

[ajvb]

Is it possible to allow changes to an encrypted file without the user needing to decrypt the file?

The simple answer is: no

What I'd do in this case is have multiple sops files, where each "access level" has full RW access to their own sops file. Then either read multiple files in or combine them in your deployment process.