mise-en-place

Appearance

Secrets experimental

Because env vars in mise.toml can store sensitive information, mise has built-in support for reading encrypted secrets from files. Currently, this is done with a sops implementation however other secret backends could be added in the future.

Secrets are .env.(json|yaml|toml) files with a simple structure, for example:

json
{
  "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
  "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

Env vars from this can be imported into a mise config with the following:

toml
[env]
_.file = ".env.json"

mise will automatically use a secret backend like sops if the file is encrypted.

sops

mise uses the rust rops library to interact with sops files. If you encrypt a sops file, mise will automatically decrypt it when reading the file. sops files can be in json, yaml, or toml format—however if you want to use toml you'll need to use the rops cli instead of sops. Otherwise, either sops or rops will work fine.

INFO

Currently age is the only sops encryption method supported.

In order to encrypt a file with sops, you'll first need to install it (mise use -g sops). You'll also need to install age (mise use -g age) to generate a keypair for sops to use if you have not already done so.

To generate a keypair with age run the following and note the public key that is output to use in the next command to sops:

sh
$ age-keygen -o ~/.config/mise/age.txt
Public key: <public key>

Assuming we have a .env.json file like at the top of this doc, we can now encrypt it with sops:

sh
sops encrypt -i --age "<public key>" .env.json

TIP

The -i here overwrites the file with an encrypted version. This encrypted version is safe to commit into your repo as without the private key (~/.config/mise/age.txt in this case) the file is useless.

You can later decrypt the file with sops decrypt -i .env.json or edit it in EDITOR with sops edit .env.json. However, you'll first need to set SOPS_AGE_KEY_FILE to ~/.config/mise/age.txt to decrypt the file.

Lastly, we need to add the file to our mise config which can be done with mise set _.file=.env.json.

Now when you run mise env you should see the env vars from the file:

sh
$ mise env
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

sops Settings

sops.age_key

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_KEY
  • Default: None

The age private key to use for sops secret decryption.

sops.age_key_file

  • Type: Path
  • Env: MISE_SOPS_AGE_KEY_FILE
  • Default: ~/.config/mise/age.key

Path to the age private key file to use for sops secret decryption.

sops.age_recipients

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_RECIPIENTS
  • Default: None

The age public keys to use for sops secret encryption.

sops.rops

  • Type: Bool
  • Env: MISE_SOPS_ROPS
  • Default: true

Use rops to decrypt sops files. Disable to shell out to sops which will slow down mise but sops may offer features not available in rops.

Licensed under the MIT License. Maintained by @jdx and friends.

Copyright © 2024 @jdx