Once you have SOPS setup for your GIT project, it can be a pain in the behind trying to not forget decrypting SOPS encrypted files before editing, and encrypting them again before committing.
This extension makes sure you don't have to think about that anymore. It will allow you to only see and edit decrypted files, but only save and commit the encrypted versions.
This extension is built to facilitate the following:
- Easy update of SOPS encrypted files, without the need to manually decrypt/encrypt
- Ensuring no decrypted files accidentally are either committed OR left on disk
It does so by doing the following:
- Whenever you try to open a SOPS encrypted file
*, the extension does the following:- The encrypted file is immediately closed
- The file is decrypted to a
[filename].tmp.[extension]copy, which is opened instead
- Updating the
tmpfile will result in an updated, original SOPS encrypted file - Closing the
tmpfile will automatically delete thetmpfile as well, making sure decrypted data never stays on disk and is never accidentally committed
* I.e., any file that satisfies any of the combinations of .sops.yaml file paths and their path_regex conditions.
NOTE: It is still possible to edit the SOPS encrypted file directly, if desired, by right-mouse-clicking the encrypted file in the left explorer bar, and selecting SOPS: edit directly.
- You need SOPS installed and configured, including:
- setting up the authentication with desired encryption services
- configuration of
.sops.yamlfiles
- It is highly recommended to add the pattern for the
tmpfiles (**/*.tmp.[extension]) to your.gitignorefile, to ensure a decrypted file is never ever committed.
This extension adds the following event listeners:
- Checks for every opened text document if it is a SOPS encrypted file, and if so, applies logic as explained in But How?.
- Checks for every saved document:
- if it is a decrypted TMP file, and if so, saves and encrypts changes to original SOPS encrypted file
- if it is an opened encryptable or encrypted file, and if so, updates showing of
Encrypt/Decryptbuttons
- Checks for every closed document if it is a decrypted TMP file, and if so, deletes it.
- Check if the currently active text editor is an encrypted or encryptable file, and if so, adds
DecryptorEncryptbutton to its top-right editor menu.
This extension adds the following buttons to the top-right editor menu of every SOPS encrypted or encryptable file *:
Decrypt- Decrypts the file in-place
- Only shown when file is SOPS encrypted
Encrypt- Encrypts the file in-place
- Only shown when file is encryptable but not actually encrypted
* I.e., any file that satisfies any of the combinations of .sops.yaml file paths and their path_regex conditions.
This extension adds the following right-mouse-menu button to any yaml/yml/json/env/ini/txt file:
SOPS: edit directly- Allows you to see and edit the SOPS encrypted file directly, without the extension closing it immediately (which is the new 'normal' behaviour).
This extension adds the following settings:
Temp File Pre Extension- Allows you to change the default
tmppre-extension to something different
- Allows you to change the default
Only Use Buttons- Allows you to not get the auto-decrypt and encrypt behaviour, but only use the decrypt/encrypt buttons instead
This extension has the following limitations:
- Only SOPS config files named
.sops.yamlare taken into account - The
SOPS: edit directlybutton is only available toyaml/yml/json/env/ini/txtfiles. Other SOPS encrypted files are rendered impossible to be edited directly by installing this extension. - SOPS encryption is only checked for files smaller than 1MB
- Encrypted or encryptable files larger than this will be completely ignored by this extension
This extension does NOT do or help with any of the following:
- Installation of SOPS
- Login or authentication with encryption services
- Configuration of
.sops.yamlfiles
This extension happily makes use of the following outstanding npm packages:
- File System API
- Child process
- ini
- eemeli's excellent yaml package