SOPS

Mozilla SOPS for encrypting secrets in config files. Supports AWS KMS, GCP KMS, Azure Key Vault, and PGP.

41 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Encryption

Encrypt files

10commands

Decryption

Decrypt files

7commands

Editing

Edit encrypted files

5commands

Key Management

Manage keys

8commands

Configuration

SOPS config

8commands

Install SOPS (macOS)

$ brew install sops

Install SOPS secrets manager using Homebrew on macOS

Check SOPS version

$ sops --version

Verify SOPS installation and display version info

Install SOPS (Go)

$ go install github.com/getsops/sops/v3/cmd/sops@latest

Install SOPS using Go on any platform with Go installed

Encrypt file with age

$ sops -e --age age1xxx secrets.yaml > secrets.enc.yaml

Encrypt YAML file using age key.

Encrypt in place

$ sops -e -i secrets.yaml

Encrypt file in place.

Encrypt with AWS KMS

$ sops -e --kms arn:aws:kms:us-east-1:123:key/xxx secrets.yaml

Encrypt using AWS KMS key.

Encrypt specific keys

$ sops -e --encrypted-regex '^(password|secret)$' config.yaml

Encrypt only matching keys.

Encrypt JSON

$ sops -e secrets.json > secrets.enc.json

Encrypt JSON file.

Encrypt with GCP KMS

$ sops -e --gcp-kms projects/myproj/locations/global/keyRings/myring/cryptoKeys/mykey secrets.yaml

Encrypt using Google Cloud KMS.

Encrypt with Azure Key Vault

$ sops -e --azure-kv https://myvault.vault.azure.net/keys/mykey/version secrets.yaml

Encrypt using Azure Key Vault.

Encrypt with multiple keys

$ sops -e --age age1key1,age1key2 secrets.yaml

Encrypt for multiple age recipients.

Exclude keys from encryption

$ sops -e --unencrypted-regex '^(metadata|description)$' config.yaml

Leave matching keys unencrypted.

Encrypt .env file

$ sops -e --input-type dotenv --output-type dotenv .env > .env.enc

Encrypt a dotenv file.

Decrypt file

$ sops -d secrets.enc.yaml > secrets.yaml

Decrypt YAML file.

Decrypt to stdout

$ sops -d secrets.enc.yaml

Decrypt and print to stdout.

Extract specific key

$ sops -d --extract '["db"]["password"]' secrets.enc.yaml

Extract single value from encrypted file.

Decrypt in place

$ sops -d -i secrets.enc.yaml

Decrypt file in place.

Decrypt and run as env vars

$ sops exec-env secrets.enc.yaml 'my-app --start'

Decrypt and pass as environment to command.

Decrypt and run with temp file

$ sops exec-file secrets.enc.yaml 'my-app --config {}'

Decrypt to temp file and pass to command.

Decrypt for piping

$ sops -d secrets.enc.yaml | kubectl apply -f -

Decrypt and pipe to another command.

Edit encrypted file

$ sops secrets.enc.yaml

Open encrypted file in editor.

Edit with specific editor

$ EDITOR=vim sops secrets.enc.yaml

Edit using specific editor.

Set single value

$ sops set secrets.enc.yaml '["db"]["password"]' '"newpassword"'

Set a specific value without opening editor.

Edit and rotate keys

$ sops --rotate secrets.enc.yaml

Rotate data key while editing.

Edit with VS Code

$ EDITOR='code --wait' sops secrets.enc.yaml

Edit using VS Code as editor.

Rotate data key

$ sops -r secrets.enc.yaml

Rotate the data encryption key.

Add new key

$ sops updatekeys --add-age age1newkey secrets.enc.yaml

Add a new age key to file.

Remove key

$ sops updatekeys --rm-age age1oldkey secrets.enc.yaml

Remove an age key from file.

Generate age key

$ age-keygen -o keys.txt

Generate new age keypair.

Add KMS key to file

$ sops updatekeys --add-kms arn:aws:kms:us-east-1:123:key/xxx secrets.enc.yaml

Add an AWS KMS key to encrypted file.

Remove KMS key from file

$ sops updatekeys --rm-kms arn:aws:kms:us-east-1:123:key/xxx secrets.enc.yaml

Remove an AWS KMS key from file.

Set SOPS_AGE_KEY_FILE

$ export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt

Set age key file path via env var.

Rotate data key in place

$ sops -r -i secrets.enc.yaml

Rotate and write data key in place.

Create .sops.yaml

$ creation_rules: - path_regex: secrets/.*\.yaml$ age: age1xxx

Example .sops.yaml configuration.

List key groups

$ sops groups secrets.enc.yaml

Show key groups for encrypted file.

Exec with decrypted env

$ sops exec-env secrets.enc.yaml 'echo $DB_PASSWORD'

Export decrypted values as environment.

Multiple creation rules

$ creation_rules: - path_regex: prod/.*\.yaml$ kms: arn:aws:kms:... - path_regex: dev/.*\.yaml$ age: age1xxx

Different keys per environment path.

Key groups with threshold

$ creation_rules: - path_regex: .*\.yaml$ shamir_threshold: 2 key_groups: - age: - age1key1 - age: - age1key2

Require N of M keys to decrypt.

Encrypted regex in config

$ creation_rules: - path_regex: config/.*\.yaml$ encrypted_regex: '^(password|token|secret)$' age: age1xxx

Encrypt only secret keys via config rule.

Publish to Vault

$ sops publish --vault vault://secret/data/myapp secrets.enc.yaml

Publish decrypted secrets to HashiCorp Vault.

Show file metadata

$ sops filestatus secrets.enc.yaml

Show encryption metadata of a file.

Discussion

Loading comments...

SOPS

Mozilla SOPS for encrypting secrets in config files. Supports AWS KMS, GCP KMS, Azure Key Vault, and PGP.

41 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Encryption

Encrypt files

10commands

Decryption

Decrypt files

7commands

Editing

Edit encrypted files

5commands

Key Management

Manage keys

8commands

Configuration

SOPS config

8commands

Install SOPS (macOS)

$ brew install sops

Install SOPS secrets manager using Homebrew on macOS

Check SOPS version

$ sops --version

Verify SOPS installation and display version info

Install SOPS (Go)

$ go install github.com/getsops/sops/v3/cmd/sops@latest

Install SOPS using Go on any platform with Go installed

Encrypt file with age

$ sops -e --age age1xxx secrets.yaml > secrets.enc.yaml

Encrypt YAML file using age key.

Encrypt in place

$ sops -e -i secrets.yaml

Encrypt file in place.

Encrypt with AWS KMS

$ sops -e --kms arn:aws:kms:us-east-1:123:key/xxx secrets.yaml

Encrypt using AWS KMS key.

Encrypt specific keys

$ sops -e --encrypted-regex '^(password|secret)$' config.yaml

Encrypt only matching keys.

Encrypt JSON

$ sops -e secrets.json > secrets.enc.json

Encrypt JSON file.

Encrypt with GCP KMS

$ sops -e --gcp-kms projects/myproj/locations/global/keyRings/myring/cryptoKeys/mykey secrets.yaml

Encrypt using Google Cloud KMS.

Encrypt with Azure Key Vault

$ sops -e --azure-kv https://myvault.vault.azure.net/keys/mykey/version secrets.yaml

Encrypt using Azure Key Vault.

Encrypt with multiple keys

$ sops -e --age age1key1,age1key2 secrets.yaml

Encrypt for multiple age recipients.

Exclude keys from encryption

$ sops -e --unencrypted-regex '^(metadata|description)$' config.yaml

Leave matching keys unencrypted.

Encrypt .env file

$ sops -e --input-type dotenv --output-type dotenv .env > .env.enc

Encrypt a dotenv file.

Decrypt file

$ sops -d secrets.enc.yaml > secrets.yaml

Decrypt YAML file.

Decrypt to stdout

$ sops -d secrets.enc.yaml

Decrypt and print to stdout.

Extract specific key

$ sops -d --extract '["db"]["password"]' secrets.enc.yaml

Extract single value from encrypted file.

Decrypt in place

$ sops -d -i secrets.enc.yaml

Decrypt file in place.

Decrypt and run as env vars

$ sops exec-env secrets.enc.yaml 'my-app --start'

Decrypt and pass as environment to command.

Decrypt and run with temp file

$ sops exec-file secrets.enc.yaml 'my-app --config {}'

Decrypt to temp file and pass to command.

Decrypt for piping

$ sops -d secrets.enc.yaml | kubectl apply -f -

Decrypt and pipe to another command.

Edit encrypted file

$ sops secrets.enc.yaml

Open encrypted file in editor.

Edit with specific editor

$ EDITOR=vim sops secrets.enc.yaml

Edit using specific editor.

Set single value

$ sops set secrets.enc.yaml '["db"]["password"]' '"newpassword"'

Set a specific value without opening editor.

Edit and rotate keys

$ sops --rotate secrets.enc.yaml

Rotate data key while editing.

Edit with VS Code

$ EDITOR='code --wait' sops secrets.enc.yaml

Edit using VS Code as editor.

Rotate data key

$ sops -r secrets.enc.yaml

Rotate the data encryption key.

Add new key

$ sops updatekeys --add-age age1newkey secrets.enc.yaml

Add a new age key to file.

Remove key

$ sops updatekeys --rm-age age1oldkey secrets.enc.yaml

Remove an age key from file.

Generate age key

$ age-keygen -o keys.txt

Generate new age keypair.

Add KMS key to file

$ sops updatekeys --add-kms arn:aws:kms:us-east-1:123:key/xxx secrets.enc.yaml

Add an AWS KMS key to encrypted file.

Remove KMS key from file

$ sops updatekeys --rm-kms arn:aws:kms:us-east-1:123:key/xxx secrets.enc.yaml

Remove an AWS KMS key from file.

Set SOPS_AGE_KEY_FILE

$ export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt

Set age key file path via env var.

Rotate data key in place

$ sops -r -i secrets.enc.yaml

Rotate and write data key in place.

Create .sops.yaml

$ creation_rules: - path_regex: secrets/.*\.yaml$ age: age1xxx

Example .sops.yaml configuration.

List key groups

$ sops groups secrets.enc.yaml

Show key groups for encrypted file.

Exec with decrypted env

$ sops exec-env secrets.enc.yaml 'echo $DB_PASSWORD'

Export decrypted values as environment.

Multiple creation rules

$ creation_rules: - path_regex: prod/.*\.yaml$ kms: arn:aws:kms:... - path_regex: dev/.*\.yaml$ age: age1xxx

Different keys per environment path.

Key groups with threshold

$ creation_rules: - path_regex: .*\.yaml$ shamir_threshold: 2 key_groups: - age: - age1key1 - age: - age1key2

Require N of M keys to decrypt.

Encrypted regex in config

$ creation_rules: - path_regex: config/.*\.yaml$ encrypted_regex: '^(password|token|secret)$' age: age1xxx

Encrypt only secret keys via config rule.

Publish to Vault

$ sops publish --vault vault://secret/data/myapp secrets.enc.yaml

Publish decrypted secrets to HashiCorp Vault.

Show file metadata

$ sops filestatus secrets.enc.yaml

Show encryption metadata of a file.

Discussion

Loading comments...