SOPS Decrypt
Decrypt .enc.yaml files back to their plaintext .env originals.
Workflow
- •
Detect current state:
bashpython3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root> - •
Verify prerequisites:
- •
tools.sops.installedmust be true — if not, tell user to install:brew install sops(macOS) or download binary (Linux) - •
age_key.existsmust be true — if not, guide user to place their age private key at the expected path, or setSOPS_AGE_KEY_FILEenv var
- •
- •
Show encrypted files from
project.encrypted_files. If empty, report "No encrypted files found" and exit. - •
Use
AskUserQuestion(multiSelect: true) — which files to decrypt. For each, show the target output name (e.g.,.env.local.enc.yaml→.env.local). If the target file already exists, note it will be overwritten. - •
Decrypt each selected file (decrypt YAML, then convert to dotenv):
bashsops --decrypt <file>.enc.yaml > <file>.dec.yaml.tmp python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-dotenv <file>.dec.yaml.tmp > <target-env-file> rm <file>.dec.yaml.tmpWhere
<target-env-file>is the encrypted filename with.enc.yamlsuffix removed. Example:.env.local.enc.yaml→.env.local - •
Verify each decrypted file exists and is non-empty.
- •
Summary:
code| Encrypted File | Decrypted To | Status | |---------------|--------------|--------| | .env.local.enc.yaml | .env.local | done |
Remind user: Do NOT commit the decrypted .env files — they should be in
.gitignore.
Key Rules
- •Always check that the age private key exists before attempting decryption
- •Always convert YAML→dotenv after decrypting (use the helper script)
- •Warn if a decrypted file will overwrite an existing one
- •Clean up
.tmpfiles even if decryption fails - •After decryption, remind user that plaintext
.envfiles must stay out of git - •If decryption fails with "no identity matched", the machine's key is not authorized — suggest running
/devtools:sops-add-keyon a machine that has access