4 minute read


sops (Secrets OPerationS) is a tool used to encrypt/decrypt YAML, JSON, BINARY, ENV files. It supports these operations using AWS KMS, GCP KMS, Azure Key Vault, age and good ol’ PGP.

With sops we can encrypt files containing sensitive data and store/version them in Git. We can also extend by uploading the secret key to our favourite CI/CD tool to automate decryption.

Here are some basic usecases of sops:

Key points

  1. To encrypt a file, we specify the KMS resource identifier (eg AWS ARN, GCP resource ID) or public key fingerprint (eg Age, PGP)
  2. sops encrypts all the values in YAML/JSON file and also appends a metadata section at the end of the encrypted output
  3. To be precise, sops generate a random 256 bit “data” key encrypted by KMS or PGP “master” key
  4. Similarly, to decrypt we need to have access to the KMS resource or the actual Age/PGP “master” key that was used to encrypt “data” key
  5. sops supports encrypting with multiple “master” keys. By default it allows decryption using any of the “master” keys available, making it easy to manage and share secrets with team members
  6. However, in some scenarios it is sometimes desirable to require access to multiple “master” keys in order to decrypt file. This can be achieved in sops by using the concept of “key groups”. Under the hood, sops uses Shamir’s Secret Sharing and this enables us to specify a number of minimum number of “master” keys in order to decrypt the file successfully
  7. sops also supports using an easy one-liner to rotate either the “data” or “master” key. Making life easier when we want to remove users’ access or address compromised keys


Download the latest binary/executable from Github releases and move to somewhere on your PATH.

sudo curl -Ls https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64 \
   -o /usr/local/bin/sops
▶ sudo chmod 755 /usr/local/bin/sops
▶ sops --version
sops 3.7.3 (latest)


Let’s use age as the backend

  1. Generate an age identity file (public-private key pair)
     ▶ age-keygen -o key.txt
     Public key: age1c580yu53ytt0nv2exx44evgwzylcyvqgsnnfpnlsqclf00mg4vdqd5q0z8
  2. Create a YAML file containing secret(s) to be encrypted
     ▶ cat > secrets.yaml <<END
     password: abc123
     array: [1, 2]
     ▶ cat secrets.yaml
     password: abc123
     array: [1, 2]
  3. Encrypt it
     ▶ sops --encrypt --age age1c580yu53ytt0nv2exx44evgwzylcyvqgsnnfpnlsqclf00mg4vdqd5q0z8 \
        secrets.yaml > secrets.enc.yaml
  4. View encrypted YAML
     ▶ cat secrets.enc.yaml
     password: ENC[AES256_GCM,data:vxU6flHc,iv:U1sHbGkidPgxKvHpGY/T0yxX6Kr7YizuTdwyk3ZeyUQ=,tag:w5bInANKnXMu42scnb7eqA==,type:str]
         - ENC[AES256_GCM,data:Ug==,iv:Nl6/5XgbFWmKaRbF2Ocw4S584dZYauvniExrn4EbZRw=,tag:be1FwF366C4yb0Zxj1/DqQ==,type:int]
         - ENC[AES256_GCM,data:sQ==,iv:cYxHg1SOjtulXxSQa8VpzimEu7b4GzYL/ovo0z23xpU=,tag:hwnoX/kWSW0/O73dkgnzkA==,type:int]
         ... # some metadata
  5. Decrypt and view original YAML
     ▶ SOPS_AGE_KEY_FILE=key.txt sops --decrypt secrets.enc.yaml
     password: abc123
         - 1
         - 2
  6. (Optional) Selectively extract only certain fields
     ▶ SOPS_AGE_KEY_FILE=key.txt sops --decrypt --extract '["password"]' secrets.enc.yaml


Public anycast by thenets

Leave a comment