encrypted_regex for particular nodes in yaml?

[craighurley]

Hello,

For the given yaml, how can I write an encrypted_regex to only match "Default" under "B"?

A:
  Type: string
  Default: string

B:
  Type: string
  Default: string

If I use encrypted_regex: "Default", it encrypts "Default" under both "A" and "B".

Version info

$ sops -v
sops 3.8.1 (latest)

Thank you.

[felixfontein]

This isn't possible right now. What you can do is using comments to determine what to encrypt and what not. This feature has been merged in main, but isn't available in a release yet though.

[felixfontein]

Hmm, I'm sorry, actually it hasn't been merged yet. It's in #974.

[mitar]

#974 is about using a comment to pick what is encrypted, not field name itself. Regex by the name itself seems to be already supported: https://github.com/getsops/sops#48encrypting-only-parts-of-a-file

I think what OP is asking for is that there might need to be another flag like encrypted_regex_path which would match against A.Default and B.Default so that one could pick which exactly field to encrypt based on its name. Currently it seems we match just Default part.

Would changing existing encrypted_regex to match the whole path be a to much of a breaking change?

[felixfontein]

Would changing existing encrypted_regex to match the whole path be a to much of a breaking change?

IMO yes. I don't think this is something we will add anytime soon though, so using comments and #974 is the best way to achieve what OP wants.