sops(1)
sops is a simple tool for managing secrets in YAML, JSON, ENV, INI and BINARY files using encryption.
Synopsis
sops [OPTIONS] [FILE]Description
sops encrypts and decrypts data in configuration files using various key management services (AWS KMS, GCP KMS, Azure Key Vault, PGP, age) or local keys. It works transparently with YAML and JSON, encrypting only the values while preserving file structure and comments.
You can edit encrypted files directly without decrypting them first, and sops will handle encryption/decryption automatically. It's commonly used in DevOps workflows to manage secrets in Git repositories, Kubernetes configurations, and infrastructure-as-code tools.
Common options
| Flag | What it does |
|---|---|
-e, --encrypt | encrypt a file |
-d, --decrypt | decrypt a file and print to stdout |
-r, --rotate | rotate data key with master key(s) |
-i, --in-place | write encrypted output back to the input file |
--aws-profile PROFILE | use specific AWS profile for KMS operations |
--kms ARN | use AWS KMS key by ARN; can be specified multiple times |
--pgp KEY_ID | encrypt with PGP key; can be specified multiple times |
--age RECIPIENT | encrypt with age public key |
-d, --output-type FORMAT | output format: json, yaml, dotenv, binary (default: same as input) |
--input-type FORMAT | specify input file format explicitly |
-c, --config CONFIG_FILE | path to .sops.yaml configuration file |
--show-metadata | include sops metadata in output |
Examples
encrypt secrets.yaml with default KMS key and save to secrets.yaml.enc
sops -e secrets.yaml > secrets.yaml.encopen and decrypt an encrypted file in your default editor ($EDITOR)
sops secrets.yaml.encdecrypt and print file contents to stdout (view without editing)
sops -d secrets.yaml.encencrypt secrets.yaml in-place, overwriting the original file
sops -e -i secrets.yamlencrypt config.yaml using a specific AWS KMS key
sops -e --kms arn:aws:kms:us-east-1:123456789012:key/12345678 config.yamldecrypt YAML file and output as JSON
sops -d -o json secrets.yaml > secrets.jsonrotate the data key in secrets.yaml with current master keys
sops -r -i secrets.yamlencrypt file with multiple PGP keys for team sharing
sops -e --pgp '[email protected]' --pgp '[email protected]' secrets.yaml