Schlomo Schapiro

SOPS is the de-facto standard for securely storing secrets in Git repositories. It creates encrypted containers that protect the secret content. The containers are in YAML, JSON, ENV or INI format so that the regular Git operations and line-based diffs still work. Also, SOPS only encrypts the values of the secrets so that it is easy to see the purpose of a secret. SOPS files use external "trust anchors" for key material so that the ability to decrypt a SOPS file depends on the access to the appropriate decryption key or service. While SOPS files are considered secure by themselves, the security posture actually depends entirely on protecting these external trust anchors - and on controlling the trust anchors added to a SOPS file . SOPS files are often used with cloud-based key management systems (KMS), which has the great advantage of providing an online identity verification  prior to granting access to the encrypted data. A malicious actor — espe...

Following up on A Login Security Architecture Without Passwords I recently had the opportunity to try out how easy it is to actually implement the "no password" login architecture. The problem to solve was publishing a small static website (an online conference program) to be accessible by several hundred people, of whom we only have the email address (that they used to sign up for the event). The event is private and the program should therefore also not be published to the open Internet, but stay private. In this example the conference program was a custom built website published via static website hosting. The code and more information on how to get started is published at github.com/schlomo/static-website-with-magic-link-auth Problem Analysis Magic link authentication (get a link via email to log in instead of bothering with a password) is in my humble and honest opinion the best — if not only — solution for this probl...

Last week, I attended the Univention Summit 2025 in Bremen , and it was a very pleasant surprise. I didn’t expect much, and it turned out to be an event with about 750 participants and a lot of interesting talks and vendors to meet. In the shadow of Microsoft 365 and Google Workspace , there is a vibrant and active community of companies, government agencies and schools who use OX App Suite , Nextcloud , Opentalk , Samba and even Linux Desktops, to name just a few. Univention’s own UCS ( Univention Corporate Serve r) also serves as the core of the internet IT setup for many organizations who don’t want to run a Microsoft Active Directory , or it complements it with additional functionality. One of the big news items that everybody talked about was of course the foundation of Opencloud , a spin-off based on Owncloud , by Peer Heinlein . I can only hope that this will ensure the continued success of Open Source file sharing and collaboration solutions. Let me share some personal hig...

Triggered by a provocative announcement for their The Cuckoo in the Tendering Process: When the vendor loses to itself panel discussion by Peer Heinlein  ( Heinlein Support ) and Johannes Loxen  ( Sernet ) on LinkedIn, I attended the 10th Bitkom Open Source Forum  in Erfurt . This free one-day conference on open source in a business context has become a highly informative event - that is well worth attending. This year's motto of  The future of open source - fair, regulated, intelligent was exactly what I needed at the moment, and I spent the whole day in the Open Source - regulated  track. Cockoo or What Is My Business Model? The panel discussion was about the challenges Peer faces in marketing OpenTalk , the open source videoconferencing software that Heinlein Support has developed over the last few years. Competitors seem to be offering OpenTalk hosting packages in public tenders, even though they don't contribute to the code or fix bugs. In the end, Peer c...

DevOps is not a title, not a box to buy, nor a software to install - how can you explain DevOps in 5 minutes, e.g. as an elevator pitch riding up to the top floor with your boss? DevOps is like a driving license for running code in production In my opinion, this is the easiest and best explanation, that everybody can understand. Specifically, it is like a motorcycle driving license and this analogy carries surprisingly far, e.g.: motorcyclists pass a theoretical exam → Engineers should know about their obligations before working in production motorcyclists drive on their own, the instructor drives behind and gives instructions via radio → Engineers should work in production and a DevOps coach should accompany them with expertise motorcyclists are fully accountable for their mistakes (e.g. hitting a tree) while they learn driving → Engineers working in production are fully acc...

Software rules the world, and everybody is its subject. But you can be a ruler, too - if you like  I keep telling my family. Here is a little example where I try to rule my secondary printer by automating the tedious task of rotating and scaling content to print. My Little Zebra Printer My secondary printer (shown here on the shelf in my home office) is a little miracle device: It is a thermal transfer receipt printer , that prints on a roll of continuous paper that is 10cm (4in) wide. Specifically a Zebra GX420d . You can get such a used printers relatively cheap. This is exactly a printer like you know from your local supermarket. And it is a super useful tool to have at home, as many print jobs don't require a full A4 page and don't need to be printed on fancy bright white paper with ever-lasting toner. Most common print jobs are shipping labels (no need to cut them to size), small shopping lists (fits in a pocket), little notes to stick into a book (e.g. reading order for ...

This is especially useful for all Google Workspace admins who still use their regular account as domain admin. Google's security best practices for administrator accounts mentions Don’t use a super admin account for daily activities and I believe that this is a really important point. If you haven't done so, I also strongly recommend going over this acrticle as it serves as a check-list for your admin setup. Why isn't everybody using an admin account? Well, paying for yet another Google Workspace license just for admin work might be too much for you, especially for smaller domains. A Shared Admin Account - Bad Idea Some domains use a shared super admin account where every user has their own YubiKey configured as MFA. While this approach does separate between regular work and admin access, it doesn't give a good solution IMHO: You can't know who actually used it because multiple people have access and Google doesn...