Back to module

#Mozilla SOPS

Secrets Operations - encrypt secrets in files.

#Overview

SOPS encrypts values in YAML/JSON/ENV/INI files, leaving keys readable.

#Installation

bash
1# macOS
2brew install sops
3
4# Download binary
5curl -LO https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64
6sudo mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops
7chmod +x /usr/local/bin/sops

#Usage with AGE

bash
1# Generate key
2age-keygen -o key.txt
3
4# Create config
5cat > .sops.yaml <<EOF
6creation_rules:
7  - age: age1...public_key...
8EOF
9
10# Encrypt
11sops -e secrets.yaml > secrets.enc.yaml
12
13# Decrypt
14sops -d secrets.enc.yaml
15
16# Edit in-place
17sops secrets.enc.yaml

#Encrypted File

yaml
1# Encrypted - only values are encrypted
2database:
3  host: ENC[AES256_GCM,data:abc...,tag:xyz...]
4  password: ENC[AES256_GCM,data:def...,tag:uvw...]
5sops:
6  age:
7    - recipient: age1...
8  encrypted_regex: ^(password|secret)$

[!TIP] Pro Tip: Combine SOPS with Git to store encrypted secrets in repos!