AgentSkillsCN

sops-encryption

使用 Mozilla SOPS 对文件和配置进行加密。可与 AWS KMS、GCP KMS 或 PGP 集成,以实现密钥管理。适用于加密配置文件、Kubernetes 密钥,或在采用加密机密的 GitOps 实践中使用。

SKILL.md
--- frontmatter
name: sops-encryption
description: Encrypt files and configs with Mozilla SOPS. Integrate with AWS KMS, GCP KMS, or PGP for key management. Use when encrypting configuration files, Kubernetes secrets, or implementing GitOps with encrypted secrets.
license: MIT
metadata:
  author: devops-skills
  version: "1.0"

SOPS Encryption

Encrypt secrets in configuration files while keeping structure visible.

When to Use This Skill

Use this skill when:

  • Encrypting secrets in Git
  • Implementing GitOps with secrets
  • Managing Kubernetes secrets as code
  • Encrypting configuration files

Prerequisites

  • SOPS installed
  • KMS access (AWS, GCP, Azure) or PGP key

Installation

bash
# macOS
brew install sops

# Linux
wget https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64
chmod +x sops-v3.8.0.linux.amd64
mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops

Basic Usage

bash
# Encrypt with AWS KMS
sops --encrypt --kms arn:aws:kms:region:account:key/key-id secrets.yaml > secrets.enc.yaml

# Decrypt
sops --decrypt secrets.enc.yaml

# Edit encrypted file
sops secrets.enc.yaml

# Encrypt in place
sops --encrypt --in-place secrets.yaml

Configuration

yaml
# .sops.yaml
creation_rules:
  - path_regex: .*\.prod\.yaml$
    kms: arn:aws:kms:us-east-1:account:key/prod-key
  - path_regex: .*\.dev\.yaml$
    kms: arn:aws:kms:us-east-1:account:key/dev-key
  - path_regex: .*
    pgp: fingerprint

Kubernetes Integration

yaml
# encrypted secret
apiVersion: v1
kind: Secret
metadata:
  name: myapp-secrets
type: Opaque
stringData:
  password: ENC[AES256_GCM,data:encrypted...]
sops:
  kms:
    - arn: arn:aws:kms:region:account:key/key-id
bash
# With ArgoCD
# Install ksops plugin for ArgoCD to decrypt secrets

Best Practices

  • Store .sops.yaml in repository
  • Use different keys per environment
  • Rotate encryption keys regularly
  • Never commit unencrypted secrets
  • Use key aliases for readability

Related Skills