Schlomo Schapiro

SOPS is the de-facto standard for securely storing secrets in Git repositories. It creates encrypted containers that protect the secret content. The containers are in YAML, JSON, ENV or INI format so that the regular Git operations and line-based diffs still work. Also, SOPS only encrypts the values of the secrets so that it is easy to see the purpose of a secret. SOPS files use external "trust anchors" for key material so that the ability to decrypt a SOPS file depends on the access to the appropriate decryption key or service. While SOPS files are considered secure by themselves, the security posture actually depends entirely on protecting these external trust anchors - and on controlling the trust anchors added to a SOPS file . SOPS files are often used with cloud-based key management systems (KMS), which has the great advantage of providing an online identity verification  prior to granting access to the encrypted data. A malicious actor — espe...

Following up on A Login Security Architecture Without Passwords I recently had the opportunity to try out how easy it is to actually implement the "no password" login architecture. The problem to solve was publishing a small static website (an online conference program) to be accessible by several hundred people, of whom we only have the email address (that they used to sign up for the event). The event is private and the program should therefore also not be published to the open Internet, but stay private. In this example the conference program was a custom built website published via static website hosting. The code and more information on how to get started is published at github.com/schlomo/static-website-with-magic-link-auth Problem Analysis Magic link authentication (get a link via email to log in instead of bothering with a password) is in my humble and honest opinion the best — if not only — solution for this probl...