Skip to content

[Feature] Support Tencent Cloud KMS #1984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Feature] Support Tencent Cloud KMS #1984

wants to merge 1 commit into from
+1,290 −205

Conversation

@oleracea719
Copy link

Feature Background

This PR adds support for Tencent Cloud Key Management Service (KMS) as a new key provider in SOPS. Tencent Cloud KMS is a secure, scalable key management service that helps users manage cryptographic keys, meet compliance requirements, and secure sensitive data .

With this addition, SOPS users can now leverage Tencent Cloud KMS for encrypting and decrypting their secrets alongside existing providers like AWS KMS, GCP KMS, Azure Key Vault, and HashiCorp Vault.

Implementation Details

New Files

  • Created tencentkms/keysource.go : Core implementation of the Tencent Cloud KMS integration
  • Created tencentkms/keysource_test.go : Unit tests for the Tencent Cloud KMS integration
  • Created tencentkms/keysource_integration_test.go : Integration tests for the Tencent Cloud KMS integration

Key Components

  1. MasterKey Implementation :

    • Implemented the MasterKey interface for Tencent Cloud KMS
    • Added core encryption/decryption logic using Tencent Cloud KMS API
    • Included proper error handling and key identification

  2. Configuration Support :

    • Added environment variables for authentication:
      • TENCENTCLOUD_SECRET_ID : Tencent Cloud API secret ID
      • TENCENTCLOUD_SECRET_KEY : Tencent Cloud API secret key
      • TENCENTCLOUD_REGION : Tencent Cloud region

Usage Example

below is my test case:

  1. encrypt and decrypt with one keyid in cli
./sops --encrypt --tencent-kms {kms key id} config.yaml > config.enc.yaml
./sops decrypt config.enc.yaml
  1. encrypt and decrypt with mutil keyid in cli
./sops --encrypt --tencent-kms {kms key id1},{kms key id 2} config.yaml > config.enc.yaml
./sops decrypt config.enc.yaml
  1. add and rm one key
./sops -r -i --rm-tencent-kms {kms key id} config.enc.yaml
./sops -r -i --add-tencent-kms {kms key id} config.enc.yaml
  1. encrypt and decrypt with mixed key, such as aws kms service.
./sops encrypt --tencent-kms {kms key id} --kms {aws kms key arn} config.yaml > config.enc.mixed.yaml
./sops --decrypt --kms {aws kms key arn}
./sops --decrypt --tencent-kms {kms key id} config.enc.mixed.yaml
  1. Using SOPS configuration:

set below file content in .sops.yaml

creation_rules:
  - path_regex: .*\.yaml$
    key_groups:
      - kms:
          - {aws kms key arn 1}
          - {aws kms key arn 2}
      - tencent_kms:
          - key_id: {kms key id 1}
          - key_id: {kms key id 2}
    shamir_secret_sharing_threshold: 2

then run below cmd

./sops encrypt config.yaml >config.enc.groups.yaml
./sops decrypt config.enc.groups.yaml
./sops groups add --tencent-kms {new kms key id } -i -f config.enc.groups.yaml
./sops updatekeys -y config.enc.groups.yaml
  1. keyservice test

in one shell with Tencent Cloud credential run sops service : sops keyservice --network unix --address /tmp/sops.sock --verbose

another shell run test cmd:

./sops --encrypt --tencent-kms {kms key id 1} --keyservice unix:///tmp/sops.sock  config.yaml 
./sops decrypt --keyservice unix:///tmp/sops.sock config.enc.yaml

@felixfontein , Could you pls take a look ? thank you.

@oleracea719 oleracea719 changed the title [Feature] Add Tencent Cloud KMS support [Feature] Support Tencent Cloud KMS Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oleracea719