sops
Encrypt and decrypt secrets managed in files
TLDR
Encrypt a file
Decrypt a file to stdout
Update the declared keys in a sops file
Rotate data keys for a sops file
Change the extension of the file once encrypted
Extract keys by naming them, and array elements by numbering them
Show the difference between two sops files
SYNOPSIS
sops [flags]
PARAMETERS
--age string
age key to use for encryption. Can specify multiple times. (e.g., `--age age1ql3z7hjy5u8j2xvqz5jzgc3spemghhg77zrv5zmdkg5q5kpqsq4aq9as4w`)
--azure-kv string
Azure Key Vault URI to use for encryption. Can specify multiple times. (e.g., `--azure-kv https://myvault.vault.azure.net`)
--config string
Path to the sops configuration file (default is $HOME/.config/sops/config.yaml)
--data-key-creation-threshold int
Threshold of keys needed to create a new data key (default 2)
--decrypt
Decrypt the input file and print the plaintext to stdout.
--encrypt
Encrypt the input file (default).
--extract string
Path to extract encrypted data from to file. Requires --output-type to be specified.
--gcp-kms string
Google Cloud KMS key to use for encryption. Can specify multiple times. (e.g., `--gcp-kms projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key`)
--help
Show help message.
--ignore-mac
Ignore MAC errors when decrypting (dangerous).
--in-place
Overwrite the input file with the encrypted/decrypted output. Implies -w and is not compatible with -o.
--kms string
AWS KMS key ARN to use for encryption. Can specify multiple times. (e.g., `--kms arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`)
--no-encryption
Remove encryption from the input file.
--output-type string
Specifies the type of file to output (json, yaml, dot) Defaults to the same as the input file, or yaml if input is stdin.
--output-file string
File to write output to, defaults to standard output or input file when in-place is used. Will write to file relative to SOPS_FILE_DIR or SOPS_FILE.
--set string
Key-value pair to set in the file. Can specify multiple times. (e.g., `--set key=value`)
--unsupported-no-modify
Do not modify unsupported files.
--vault string
HashiCorp Vault transit engine path to use for encryption. Can specify multiple times. (e.g., `--vault transit/keys/my-key`)
--version
Show version information.
--write
Write the output to the input file. Same as --in-place. DEPRECATED
DESCRIPTION
sops (Secrets OPerationS) is a command-line tool and library for managing encrypted secrets stored in YAML, JSON, ENV, INI and DOTENV files. It allows teams to safely share secrets across environments by encrypting the sensitive data within the files, while leaving the rest of the file readable.
sops uses a combination of encryption technologies, including AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault, and age (a simple, modern encryption tool) to encrypt data. This provides flexibility and choice in how secrets are managed. The tool supports multiple encryption providers, allowing teams to select the best option for their infrastructure.
sops is designed for use with version control systems, making it easy to track changes to secrets and collaborate on configuration files. This promotes security by enabling audit trails and simplifies the process of updating and managing sensitive information across the organization.
CAVEATS
Incorrectly configured KMS, GCP KMS, Azure KV, HashiCorp Vault or age can result in data loss. Always back up files before modification. Ensure proper access control for encryption keys.
FILE FORMAT SUPPORT
sops natively supports YAML, JSON, ENV, INI and DOTENV file formats, allowing you to encrypt secrets within these structured file types.
It automatically detects file type based on the extension. You can also specify the file type with --output-type.
ENCRYPTION PROVIDER PRIORITY
sops uses the following order of precedence when looking for master keys to use for encryption and decryption: AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault, age.
HISTORY
sops was created to address the need for a secure and collaborative way to manage secrets in configuration files. It has gained popularity within the DevOps and security communities due to its ease of use, versatility, and integration with popular cloud providers and encryption technologies. The project is actively maintained and evolves with new features and improvements.