SOPS Encryption
Encrypt secrets in configuration files while keeping structure visible.
When to Use This Skill
Use this skill when:
- •Encrypting secrets in Git
- •Implementing GitOps with secrets
- •Managing Kubernetes secrets as code
- •Encrypting configuration files
Prerequisites
- •SOPS installed
- •KMS access (AWS, GCP, Azure) or PGP key
Installation
bash
# macOS brew install sops # Linux wget https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64 chmod +x sops-v3.8.0.linux.amd64 mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops
Basic Usage
bash
# Encrypt with AWS KMS sops --encrypt --kms arn:aws:kms:region:account:key/key-id secrets.yaml > secrets.enc.yaml # Decrypt sops --decrypt secrets.enc.yaml # Edit encrypted file sops secrets.enc.yaml # Encrypt in place sops --encrypt --in-place secrets.yaml
Configuration
yaml
# .sops.yaml
creation_rules:
- path_regex: .*\.prod\.yaml$
kms: arn:aws:kms:us-east-1:account:key/prod-key
- path_regex: .*\.dev\.yaml$
kms: arn:aws:kms:us-east-1:account:key/dev-key
- path_regex: .*
pgp: fingerprint
Kubernetes Integration
yaml
# encrypted secret
apiVersion: v1
kind: Secret
metadata:
name: myapp-secrets
type: Opaque
stringData:
password: ENC[AES256_GCM,data:encrypted...]
sops:
kms:
- arn: arn:aws:kms:region:account:key/key-id
bash
# With ArgoCD # Install ksops plugin for ArgoCD to decrypt secrets
Best Practices
- •Store .sops.yaml in repository
- •Use different keys per environment
- •Rotate encryption keys regularly
- •Never commit unencrypted secrets
- •Use key aliases for readability
Related Skills
- •hashicorp-vault - Centralized secrets
- •argocd-gitops - GitOps integration