LinuxCommandLibrary

sops

Encrypt and decrypt secrets managed in files

TLDR

Encrypt a file

$ sops -e [path/to/file.json] > [path/to/file.enc.json]
copy

Decrypt a file to stdout
$ sops -d [path/to/file.enc.json]
copy

Update the declared keys in a sops file
$ sops updatekeys [path/to/file.enc.yaml]
copy

Rotate data keys for a sops file
$ sops -r [path/to/file.enc.yaml]
copy

Change the extension of the file once encrypted
$ sops -d --input-type json [path/to/file.enc.json]
copy

Extract keys by naming them, and array elements by numbering them
$ sops -d --extract '["an_array"][1]' [path/to/file.enc.json]
copy

Show the difference between two sops files
$ diff <(sops -d [path/to/secret1.enc.yaml]) <(sops -d [path/to/secret2.enc.yaml])
copy

SYNOPSIS

sops [flags]

PARAMETERS

--age string
    age key to use for encryption. Can specify multiple times. (e.g., `--age age1ql3z7hjy5u8j2xvqz5jzgc3spemghhg77zrv5zmdkg5q5kpqsq4aq9as4w`)

--azure-kv string
    Azure Key Vault URI to use for encryption. Can specify multiple times. (e.g., `--azure-kv https://myvault.vault.azure.net`)

--config string
    Path to the sops configuration file (default is $HOME/.config/sops/config.yaml)

--data-key-creation-threshold int
    Threshold of keys needed to create a new data key (default 2)

--decrypt
    Decrypt the input file and print the plaintext to stdout.

--encrypt
    Encrypt the input file (default).

--extract string
    Path to extract encrypted data from to file. Requires --output-type to be specified.

--gcp-kms string
    Google Cloud KMS key to use for encryption. Can specify multiple times. (e.g., `--gcp-kms projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key`)

--help
    Show help message.

--ignore-mac
    Ignore MAC errors when decrypting (dangerous).

--in-place
    Overwrite the input file with the encrypted/decrypted output. Implies -w and is not compatible with -o.

--kms string
    AWS KMS key ARN to use for encryption. Can specify multiple times. (e.g., `--kms arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`)

--no-encryption
    Remove encryption from the input file.

--output-type string
    Specifies the type of file to output (json, yaml, dot) Defaults to the same as the input file, or yaml if input is stdin.

--output-file string
    File to write output to, defaults to standard output or input file when in-place is used. Will write to file relative to SOPS_FILE_DIR or SOPS_FILE.

--set string
    Key-value pair to set in the file. Can specify multiple times. (e.g., `--set key=value`)

--unsupported-no-modify
    Do not modify unsupported files.

--vault string
    HashiCorp Vault transit engine path to use for encryption. Can specify multiple times. (e.g., `--vault transit/keys/my-key`)

--version
    Show version information.

--write
    Write the output to the input file. Same as --in-place. DEPRECATED

DESCRIPTION

sops (Secrets OPerationS) is a command-line tool and library for managing encrypted secrets stored in YAML, JSON, ENV, INI and DOTENV files. It allows teams to safely share secrets across environments by encrypting the sensitive data within the files, while leaving the rest of the file readable.
sops uses a combination of encryption technologies, including AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault, and age (a simple, modern encryption tool) to encrypt data. This provides flexibility and choice in how secrets are managed. The tool supports multiple encryption providers, allowing teams to select the best option for their infrastructure.
sops is designed for use with version control systems, making it easy to track changes to secrets and collaborate on configuration files. This promotes security by enabling audit trails and simplifies the process of updating and managing sensitive information across the organization.

CAVEATS

Incorrectly configured KMS, GCP KMS, Azure KV, HashiCorp Vault or age can result in data loss. Always back up files before modification. Ensure proper access control for encryption keys.

FILE FORMAT SUPPORT

sops natively supports YAML, JSON, ENV, INI and DOTENV file formats, allowing you to encrypt secrets within these structured file types.
It automatically detects file type based on the extension. You can also specify the file type with --output-type.

ENCRYPTION PROVIDER PRIORITY

sops uses the following order of precedence when looking for master keys to use for encryption and decryption: AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault, age.

HISTORY

sops was created to address the need for a secure and collaborative way to manage secrets in configuration files. It has gained popularity within the DevOps and security communities due to its ease of use, versatility, and integration with popular cloud providers and encryption technologies. The project is actively maintained and evolves with new features and improvements.

SEE ALSO

age(1), gpg(1)

Copied to clipboard