### Install SOPS from Source Source: https://getsops.io/docs/installation Build and install the SOPS development branch from source. Requires Go version 1.25 or higher. ```bash $ mkdir -p $GOPATH/src/github.com/getsops/sops/ $ git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ $ cd $GOPATH/src/github.com/getsops/sops/ $ make install ``` -------------------------------- ### Set up Go Environment Source: https://getsops.io/docs/installation Install Go and configure the GOPATH environment variable for building SOPS from source. Adapt commands to your system and shell. ```bash $ {apt,yum,brew} install golang $ echo 'export GOPATH=~/go' >> ~/.bashrc $ source ~/.bashrc $ mkdir $GOPATH ``` -------------------------------- ### Azure Key Vault Setup with CLI Source: https://getsops.io/docs/usage/identities/azure-kms Commands to create an Azure resource group, a Key Vault, a key within the vault, and assign permissions to a service principal. The `get` permission is required if the key version is omitted in the SOPS configuration. ```bash # Create a resource group if you do not have one: $ az group create --name sops-rg --location westeurope # Key Vault names are globally unique, so generate one: $ keyvault_name=sops-$(uuidgen | tr -d - | head -c 16) # Create a Vault, a key, and give the service principal access: $ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope $ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt $ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \ --key-permissions get encrypt decrypt # Read the key id: $ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kid https://sops.vault.azure.net/keys/sops-key/some-string ``` -------------------------------- ### AWS Credentials File Example Source: https://getsops.io/docs/usage/first-steps An example of the AWS credentials file located at ~/.aws/credentials. SOPS uses this file for authentication with AWS services. ```bash $ cat ~/.aws/credentials [default] aws_access_key_id = AKI..... aws_secret_access_key = mw...... ``` -------------------------------- ### Run a Local Vault Development Server Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao This command starts a local Vault development server using Docker. It is not recommended for production environments. Ensure you have Docker installed. ```bash $ docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor ``` -------------------------------- ### Publishing to Vault with Token Authentication Source: https://getsops.io/docs/usage/publishing Example of publishing a SOPS file to Vault using environment variables for authentication and address. It includes a confirmation prompt before uploading. ```bash $ export VAULT_TOKEN=... $ export VAULT_ADDR='http://127.0.0.1:8200' $ sops decrypt vault/test.yaml example_string: bar example_number: 42 example_map: key: value $ sops publish vault/test.yaml uploading /home/user/sops_directory/vault/test.yaml to http://127.0.0.1:8200/v1/secret/data/sops/test.yaml ? (y/n): y ``` -------------------------------- ### Configure Multiple PostgreSQL Audit Backends Source: https://getsops.io/docs/usage/advanced Example configuration for SOPS auditing to multiple PostgreSQL databases. SOPS will log to all specified backends. ```yaml backends: postgres: - connection_string: "postgres://sops:sops@localhost/sops?sslmode=verify-full" - connection_string: "postgres://sops:sops@remotehost/sops?sslmode=verify-full" ``` -------------------------------- ### Check Vault Status Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Verify that your Vault server has started correctly and is accessible. This command displays the current status of the Vault instance. ```bash $ # to check if Vault started and is configured correctly $ vault status ``` -------------------------------- ### Test SOPS with Dev PGP Key Source: https://getsops.io/docs/usage/identities/pgp Clone the SOPS repository, import the test PGP key, and edit an example YAML file to test decryption with the provided key. ```bash $ git clone https://github.com/getsops/sops.git $ cd sops $ gpg --import pgp/sops_functional_tests_key.asc $ sops edit example.yaml ``` -------------------------------- ### Configure Single PostgreSQL Audit Backend Source: https://getsops.io/docs/usage/advanced Example configuration for SOPS auditing to a single PostgreSQL database. Ensure the database and user are set up according to the audit schema. ```yaml backends: postgres: - connection_string: "postgres://sops:sops@localhost/sops?sslmode=verify-full" ``` -------------------------------- ### Azure Key Vault Key Configuration Source: https://getsops.io/docs/reference Examples of configuring Azure Key Vault keys. You can specify a key version, or leave it empty to use the latest version. ```yaml - vaultUrl: https://vault.url key: key-name version: key-version - vaultUrl: https://vault.url key: key-name version: "" ``` -------------------------------- ### SOPS PGP Encryption Example Source: https://getsops.io/docs/reference This snippet illustrates the SOPS metadata structure for a file encrypted with PGP. It contains the PGP fingerprint, creation timestamp, and the encrypted PGP message. ```yaml sops: pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 created_at: 1441570391.930042 enc: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1. hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA pAgRKczJmDu4+XzN+cxX5Iq9xEWIbny9B5rOjwTXT3qcUYZ4Gkzbq4MWkjuPp/Iv qO4MJaYzoH5YxC4YORQ2LvzhA2YGsCzYnljmatGEUNg01yJ6r5mwFwDxl4Nc80Cn RwnHuGExK8j1jYJZu/juK1qRbuBOAuruIPPWVdFB845PA7waacG1IdUW3ZtBkOy3 O0BIfG2ekRg0Nik6sTOhDUA+l2bewCcECI8FYCEjwHm9Sg5cxmP2V5m1mby+uKAm kewaoOyjbmV1Mh3iI1b/AQMr+/6ZE9MT2KnsoWosYamFyjxV5r1ZZM7cWKnOT+tu KOvGhTV1TeOfVpajNTNwtV/Oyh3mMLQ0F0HgCTqomQVqw5+sj7OWAASuD3CU/dyo pcmY5Qe0TNL1JsMNEH8LJDqSh+E0hsUxdY1ouVsg3ysf6mdM8ciWb3WRGxih1Vmf unfLy8Ly3V7ZIC8EHV8aLJqh32jIZV4i2zXIoO4ZBKrudKcECY1C2+zb/TziVAL8 qyPe47q8gi1rIyEv5uirLZjgpP+JkDUgoMnzlX334FZ9pWtQMYW4Y67urAI4xUq6 /q1zBAeHoeeeQK+YKDB7Ak/Y22YsiqQbNp2n4CKSKAE4erZLWVtDvSp+49SWmS/S XgGi+13MaXIp0ecPKyNTBjF+NOw/I3muyKr8EbDHrd2XgIT06QXqjYLsCb1TZ0zm xgXsOTY3b+ONQ2zjhcovanDp7/k77B+gFitLYKg4BLZsl7gJB12T8MQnpfSmRT4= =oJgS -----END PGP MESSAGE----- ``` -------------------------------- ### Create Encryption Keys in Vault Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Create one or more encryption keys within the transit engine. This example shows creating RSA and ChaCha20-Poly1305 keys with different key sizes. ```bash $ # Then create one or more keys $ vault write sops/keys/firstkey type=rsa-4096 $ vault write sops/keys/secondkey type=rsa-2048 $ vault write sops/keys/thirdkey type=chacha20-poly1305 ``` -------------------------------- ### HuaweiCloud KMS Key Configuration Source: https://getsops.io/docs/reference Example of configuring a HuaweiCloud KMS key ID. The key ID must be in the format `:`. ```yaml - key_id: tr-west-1:abc12345-6789-0123-4567-890123456789 ``` -------------------------------- ### SOPS Encrypted File Structure Source: https://getsops.io/docs/usage/first-steps An example of the structure of a SOPS-encrypted YAML file, showing encrypted values for different data types and the metadata for KMS and PGP decryption. ```yaml myapp1: ENC[AES256_GCM,data:Tr7o=,iv:1=,aad:No=,tag:k=] app2: db: user: ENC[AES256_GCM,data:CwE4O1s=,iv:2k=,aad:o=,tag:w==] password: ENC[AES256_GCM,data:p673w==,iv:YY=,aad:UQ=,tag:A=] # private key for secret operations in app2 key: |- ENC[AES256_GCM,data:Ea3kL5O5U8=,iv:DM=,aad:FKA=,tag:EA==] an_array: - ENC[AES256_GCM,data:v8jQ=,iv:HBE=,aad:21c=,tag:gA==] - ENC[AES256_GCM,data:X10=,iv:o8=,aad:CQ=,tag:Hw==] - ENC[AES256_GCM,data:KN=,iv:160=,aad:fI4=,tag:tNw==] sops: kms: - created_at: 1441570389.775376 enc: CiC....Pm1Hm arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - created_at: 1441570391.925734 enc: Ci...awNx arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 created_at: 1441570391.930042 enc: | -----BEGIN PGP MESSAGE----- hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA ...=oJgS -----END PGP MESSAGE----- ``` -------------------------------- ### AWS KMS Key Configuration Source: https://getsops.io/docs/reference Example of configuring an AWS KMS master key within a key group. Ensure the ARN, role (if applicable), context, and AWS profile are correctly specified. ```yaml - arn: arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500 role: arn:aws:iam::927034868273:role/sops-dev-xyz context: Environment: production Role: web-server aws_profile: foo ``` -------------------------------- ### GCP KMS Key Configuration Source: https://getsops.io/docs/reference Example of specifying a GCP KMS resource ID for encryption. The resource ID must follow the correct format for your GCP project. ```yaml - resource_id: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey ``` -------------------------------- ### SOPS KMS Encryption Example Source: https://getsops.io/docs/reference This snippet shows the structure of SOPS metadata when a file is encrypted using AWS KMS. It includes the encrypted data key, timestamp, and KMS ARN. ```yaml sops: kms: - enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAQB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyGdRODuYMHbA8Ozj8CARCAO7opMolPJUmBXd39Zlp0L2H9fzMKidHm1vvaF6nNFq0ClRY7FlIZmTm4JfnOebPseffiXFn9tG8cq7oi enc_ts: 1439568549.245995 arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e ``` -------------------------------- ### Define Creation Rules in .sops.yaml Source: https://getsops.io/docs/usage/identities/config-file Configure rules to match file paths and assign specific KMS, PGP, and age identities for encryption. The first matching rule is applied. ```yaml creation_rules: - path_regex: \.dev\.yaml$ kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' - path_regex: \.prod\.yaml$ kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' hc_vault_uris: "http://localhost:8200/v1/sops/keys/thirdkey" - path_regex: \.gcp\.yaml$ gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey - path_regex: \.hckms\.yaml$ hckms: tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234 - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' ``` -------------------------------- ### Clone SOPS Documentation Repository Source: https://getsops.io/docs/contribution-guidelines Use this command to create a local copy of the SOPS documentation repository for making changes. ```bash git clone --depth 1 https://github.com/getsops/docs.git ``` -------------------------------- ### Encrypt and Decrypt Binary Files with SOPS Source: https://getsops.io/docs/usage/common-operations Demonstrates in-place encryption and decryption of binary files using SOPS. Ensure you have a binary file to test with. ```bash $ dd if=/dev/urandom of=/tmp/somerandom bs=1024 count=512 512+0 records in 512+0 records out 524288 bytes (524 kB) copied, 0.0466158 s, 11.2 MB/s ``` ```bash $ sha512sum /tmp/somerandom 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom ``` ```bash $ sops encrypt -i /tmp/somerandom please wait while a data encryption key is being generated and stored securely ``` ```bash $ sops decrypt -i /tmp/somerandom ``` ```bash $ sha512sum /tmp/somerandom 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom ``` -------------------------------- ### Set HuaweiCloud KMS Environment Variables Source: https://getsops.io/docs/usage/identities/huaweicloud-kms Configure authentication credentials for HuaweiCloud KMS using environment variables. Ensure these variables are set before running SOPS commands. ```bash export HUAWEICLOUD_SDK_AK="your-access-key" export HUAWEICLOUD_SDK_SK="your-secret-key" export HUAWEICLOUD_SDK_PROJECT_ID="your-project-id" ``` -------------------------------- ### Configure HuaweiCloud KMS Credentials File Source: https://getsops.io/docs/usage/identities/huaweicloud-kms Alternatively, set up HuaweiCloud KMS credentials in a local configuration file. This method is useful for managing credentials without environment variables. ```bash $ cat ~/.huaweicloud/credentials [default] ak = your-access-key sk = your-secret-key project_id = your-project-id ``` -------------------------------- ### Encrypt File using SOPS_HUAWEICLOUD_KMS_IDS Environment Variable Source: https://getsops.io/docs/usage/identities/huaweicloud-kms Encrypt a file using SOPS by specifying the HuaweiCloud KMS key ID via the SOPS_HUAWEICLOUD_KMS_IDS environment variable. This is a convenient method for single-key usage. ```bash $ export SOPS_HUAWEICLOUD_KMS_IDS="tr-west-1:abc12345-6789-0123-4567-890123456789" $ sops encrypt test.yaml > test.enc.yaml ``` -------------------------------- ### Create GCP KMS Keyring and Key Source: https://getsops.io/docs/usage/identities/google-cloud-kms Create a KMS keyring and a key for encryption using the gcloud SDK. The output shows the format of a KMS ResourceID. ```bash $ gcloud kms keyrings create sops --location global $ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption $ gcloud kms keys list --location global --keyring sops ``` ```text # you should see NAME PURPOSE PRIMARY_STATE projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT ENABLED ``` -------------------------------- ### Configure Vault Address and Token Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Set the VAULT_ADDR and VAULT_TOKEN environment variables to connect to your Vault instance. The VAULT_TOKEN may not be necessary if you have already logged in. ```bash $ # Substitute this with the address Vault is running on $ export VAULT_ADDR=http://127.0.0.1:8200 $ # this may not be necessary in case you previously used `vault login` for production use $ export VAULT_TOKEN=toor ``` -------------------------------- ### Provide value from file or stdin for set command Source: https://getsops.io/docs/usage/common-operations You can provide the value for the `sops set` command from a file using `--value-file` or from standard input using `--value-stdin`. ```bash # Provide the value from a file $ echo '{"uid1":null,"uid2":1000,"uid3":["bob"]}' > /tmp/example-value $ sops set --value-file ~/git/svc/sops/example.yaml '["an_array"][1]' /tmp/example-value ``` ```bash # Provide the value from stdin $ echo '{"uid1":null,"uid2":1000,"uid3":["bob"]}' | sops set --value-stdin ~/git/svc/sops/example.yaml '["an_array"][1]' ``` -------------------------------- ### IAM Policy for KMS Role Source: https://getsops.io/docs/usage/identities/amazon-aws-kms An example IAM policy granting necessary permissions (Encrypt, Decrypt, etc.) for a role to interact with AWS KMS. This policy should be attached to the role assumed by SOPS. ```json { "Sid": "Allow use of the key", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::927034868273:role/sops-dev-xyz" ] } } ``` -------------------------------- ### Encrypt an Existing File with SOPS Source: https://getsops.io/docs/usage/common-operations Encrypt an existing cleartext file using KMS and PGP keys. Set the KMS ARN and PGP fingerprint as environment variables. The output is redirected to a new encrypted file. ```bash $ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" $ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D" $ sops encrypt /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml ``` -------------------------------- ### KMS Key Policy with Encryption Context Source: https://getsops.io/docs/usage/identities/amazon-aws-kms An example AWS KMS key policy that uses `StringEquals` conditions on `kms:EncryptionContext` to restrict decryption access based on specific application and file path contexts. ```json { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp", "kms:EncryptionContext:FilePath": "/var/opt/secrets/" } } } ``` -------------------------------- ### Drop privileges with exec-env using --user Source: https://getsops.io/docs/usage/advanced On unix-like systems, use `sops exec-env --user ` to drop privileges before executing a command, enhancing security by running the child process with reduced permissions. ```bash # the encrypted file can't be read by the current user $ cat out.json cat: out.json: Permission denied # execute sops as root, decrypt secrets, then drop privileges $ sudo sops exec-env --user nobody out.json 'sh' sh-3.2$ echo $database_password jf48t9wfw094gf4nhdf023r # dropped privileges, still can't load the original file sh-3.2$ id uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody) sh-3.2$ cat out.json cat: out.json: Permission denied ``` -------------------------------- ### SOPS .sops.yaml Creation Rules Source: https://getsops.io/docs/usage/identities/config-file Define encryption rules based on file path regex. Supports KMS, PGP, and age keys. Configuration is ignored if keys are provided via command line or environment variables. ```yaml creation_rules: # upon creation of a file under development, # KMS set A is used - path_regex: .*/development/.* kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' # prod files use KMS set B in the PROD IAM - path_regex: .*/production/.* kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' # other files use KMS set C - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' ``` -------------------------------- ### Configure PGP Fingerprints for SOPS Source: https://getsops.io/docs/usage/first-steps Set the SOPS_PGP_FP environment variable with comma-separated fingerprints of your PGP public keys for encryption. ```bash export SOPS_PGP_FP="85D77543B3D624B63CEA9E6DBC17301B491B3F21,E60892BB9BD89A69F759A1A0A3D652173B763E8F" ``` -------------------------------- ### Configure PGP Keys in .sops.yaml Source: https://getsops.io/docs/usage/key-management Define PGP master keys for SOPS using the `.sops.yaml` file. This configuration is used by the `updatekeys` command. ```yaml creation_rules: - pgp: >- 85D77543B3D624B63CEA9E6D27381B491B3F21, FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 ``` -------------------------------- ### Create Azure Service Principal Source: https://getsops.io/docs/usage/identities/azure-kms Use the Azure CLI to create a Service Principal for accessing Key Vault. The output provides the necessary `appId` (client ID) and `password` (client secret). ```bash $ az ad sp create-for-rbac -n my-keyvault-sp { "appId": "", "displayName": "my-keyvault-sp", "name": "http://my-keyvault-sp", "password": "", "tenant": "" } ``` -------------------------------- ### Add Key Group to File Source: https://getsops.io/docs/usage/identities/key-groups Use this command to add a new key group with specified PGP keys and KMS ARNs to an existing SOPS file. ```bash $ sops groups add --file my_file.yaml --pgp fingerprint1 --pgp fingerprint2 --pgp fingerprint3 --kms arn1 --kms arn2 --kms arn3 ``` -------------------------------- ### Create New File with SOPS Source: https://getsops.io/docs/usage/identities/config-file Use the 'sops edit' command to create a new file, automatically applying the relevant encryption rules defined in the .sops.yaml configuration. ```bash $ sops edit .prod.yaml ``` -------------------------------- ### Encrypt and Decrypt JSON Files Source: https://getsops.io/docs/reference Use these commands to encrypt and decrypt JSON files, preserving the original file extension. If the extension changes, use the --input-type flag during decryption. ```bash $ sops encrypt -i myfile.json $ sops decrypt myfile.json ``` ```bash $ sops encrypt myfile.json > myfile.json.enc $ sops decrypt --input-type json myfile.json.enc ``` -------------------------------- ### Age Public Keys Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using Age public keys. Multiple keys can be provided as a list. ```yaml creation_rules: - age: - age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c - age1qe5lxzzeppw5k79vxn3872272sgy224g2nzqlzy3uljs84say3yqgvd0sw ``` -------------------------------- ### Configure SOPS with Vault Transit URIs via .sops.yaml Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Define encryption rules for SOPS using a .sops.yaml file. This allows specifying different Vault transit keys for different file paths using regex matching. ```yaml creation_rules: - path_regex: ".dev.yaml$" hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/secondkey" - path_regex: ".prod.yaml$" hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/thirdkey" ``` -------------------------------- ### Encrypt File with Verbose Output using SOPS Configuration Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Encrypt a file using the SOPS configuration defined in .sops.yaml. The --verbose flag provides detailed output during the encryption process. ```bash $ sops encrypt --verbose prod/raw.yaml > prod/encrypted.yaml ``` -------------------------------- ### Key Groups Configuration in .sops.yaml Source: https://getsops.io/docs/usage/identities/key-groups Define key groups and their associated PGP fingerprints and KMS ARNs within the `.sops.yaml` configuration file for creation rules. ```yaml creation_rules: - path_regex: .*keygroups.* key_groups: # First key group - pgp: - fingerprint1 - fingerprint2 kms: - arn: arn1 role: role1 context: foo: bar - arn: arn2 aws_profile: myprofile # Second key group - pgp: - fingerprint3 - fingerprint4 kms: - arn: arn3 - arn: arn4 # Third key group - pgp: - fingerprint5 ``` -------------------------------- ### Create a New Encrypted File with SOPS Source: https://getsops.io/docs/usage/common-operations Use the `sops edit` command to create a new file with data keys encrypted by KMS and PGP. Ensure you have the necessary KMS ARN and PGP fingerprint. ```bash $ sops edit --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml ``` -------------------------------- ### Azure KMS Environment Variables Source: https://getsops.io/docs/usage/identities/azure-kms Set these environment variables to authenticate with Azure Key Vault using a Service Principal. ```bash AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET ``` -------------------------------- ### Edit File with SOPS (Basic Usage) Source: https://getsops.io/docs/usage/first-steps The primary command for interacting with SOPS-encrypted files. It transparently handles decryption, opens the file in the default editor, and re-encrypts upon saving. ```bash $ sops edit ``` -------------------------------- ### YAML File with Anchors (Not Supported) Source: https://getsops.io/docs/reference SOPS does not support YAML files containing anchors, as they redefine the file structure at load time, breaking the AEAD encryption authentication. ```yaml bill-to: &id001 street: | 123 Tornado Alley Suite 16 city: East Centerville state: KS ship-to: *id001 ``` -------------------------------- ### Encrypt File using HuaweiCloud KMS Key ID Source: https://getsops.io/docs/usage/identities/huaweicloud-kms Encrypt a file using SOPS with a specified HuaweiCloud KMS key ID. The key ID must be in the format 'region:key-uuid'. ```bash $ sops encrypt --hckms tr-west-1:abc12345-6789-0123-4567-890123456789 test.yaml > test.enc.yaml ``` -------------------------------- ### Shamir Threshold Configuration in .sops.yaml Source: https://getsops.io/docs/usage/identities/key-groups Configure the Shamir's Secret Sharing threshold for specific creation rules in the `.sops.yaml` file, overriding the default. ```yaml creation_rules: - path_regex: .*keygroups.* shamir_threshold: 2 key_groups: # First key group - pgp: - fingerprint1 - fingerprint2 kms: - arn: arn1 role: role1 context: foo: bar - arn: arn2 aws_profile: myprofile # Second key group - pgp: - fingerprint3 - fingerprint4 kms: - arn: arn3 - arn: arn4 # Third key group - pgp: - fingerprint5 ``` -------------------------------- ### Encrypt with GnuPG Subkeys Source: https://getsops.io/docs/usage/identities/pgp Configure SOPS to encrypt using specific GnuPG subkeys by appending '!' to the key's fingerprint in the creation_rules. This requires SOPS version 3.9.3 or later. ```yaml creation_rules: - pgp: >- 85D77543B3D624B63CEA9E6DBC17301B491B3F21!, E60892BB9BD89A69F759A1A0A3D652173B763E8F! ``` -------------------------------- ### HuaweiCloud KMS Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using HuaweiCloud KMS key IDs. The format requires the region and the key UUID, separated by a colon. ```yaml creation_rules: - hckms: - tr-west-1:abc12345-6789-0123-4567-890123456789 - tr-west-1:def67890-1234-5678-9012-345678901234 ``` -------------------------------- ### Edit File with PGP Keys Source: https://getsops.io/docs/security Use this command to edit a file encrypted with multiple PGP public keys. Ensure the PGP keys are correctly formatted and comma-separated. ```bash $ sops edit --pgp "E60892BB9BD89A69F759A1A0A3D652173B763E8F,84050F1D61AF7C230A12217687DF65059EF093D3,85D77543B3D624B63CEA9E6DBC17301B491B3F21" mynewfile.yaml ``` -------------------------------- ### Configure Age Recipients in .sops.yaml Source: https://getsops.io/docs/usage/identities/age Define a list of age recipients in the .sops.yaml file for automatic encryption rules. Each recipient should be on a new line. ```yaml creation_rules: - age: >- age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c, age1qe5lxzzeppw5k79vxn3872272sgy224g2nzqlzy3uljs84say3yqgvd0sw ``` -------------------------------- ### PGP Key Fingerprints Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using PGP/GPG key fingerprints. Multiple fingerprints can be specified. ```yaml creation_rules: - pgp: - 85D77543B3D624B63CEA9E6DBC17301B491B3F21! - E60892BB9BD89A69F759A1A0A3D652173B763E8F! ``` -------------------------------- ### Edit File with Custom Shamir Threshold Source: https://getsops.io/docs/usage/identities/key-groups Encrypt a file using a custom Shamir's Secret Sharing threshold, requiring a specific number of key groups to decrypt. ```bash $ sops edit --shamir-secret-sharing-threshold 2 example.json ``` -------------------------------- ### Decrypt File with Local and Remote Key Service Source: https://getsops.io/docs/usage/advanced Decrypt a file using both the local SOPS key service and a remote key service exposed on a Unix socket. Ensure the remote key service is accessible. ```bash $ sops decrypt --keyservice unix:///tmp/sops.sock file.yaml ``` -------------------------------- ### Configure JSON Indentation in .sops.yaml Source: https://getsops.io/docs/reference Configure the indentation for JSON and JSON_binary files in your .sops.yaml file. Use '2' for spaces or '-1' for a single tab. A value of '0' disables indentation. ```yaml stores: json: indent: 2 json_binary: indent: 2 ``` -------------------------------- ### Configure HuaweiCloud KMS Keys in .sops.yaml Source: https://getsops.io/docs/usage/identities/huaweicloud-kms Define HuaweiCloud KMS keys for automatic encryption rules within the SOPS configuration file. This allows SOPS to use specified keys for files matching a regex. ```yaml creation_rules: - path_regex: \.hckms\.yaml$ hckms: - tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234 ``` -------------------------------- ### AWS Credentials via Environment Variables Source: https://getsops.io/docs/usage/first-steps Alternatively, specify AWS credentials using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. ```bash export AWS_ACCESS_KEY_ID="AKI......" export AWS_SECRET_ACCESS_KEY="mw......" ``` -------------------------------- ### Key Groups Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using a list of key groups. Each key group can specify multiple identity types and a merge strategy for combining them. ```yaml creation_rules: - key_groups: - kms: - arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d aws_profile: foo age: - age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c - age1qe5lxzzeppw5k79vxn3872272sgy224g2nzqlzy3uljs84say3yqgvd0sw pgp: - 85D77543B3D624B63CEA9E6DBC17301B491B3F21! - E60892BB9BD89A69F759A1A0A3D652173B763E8F! gcp_kms: - projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey azure_keyvault: - https://vault.url/keys/key-name/key-version # Key with version - https://vault.url/keys/key-name/ # key without version, the latest will be used hc_vault_transit_uri: - http://my.vault/v1/sops/keys/secondkey hckms: - tr-west-1:abc12345-6789-0123-4567-890123456789 merge: - pgp: - 85D77543B3D624B63CEA9E6DBC17301B491B3F21! - age: - age1s3cqcks5genc6ru8chl0hkkd04zmxvczsvdxq99ekffe4gmvjpzsedk23c - gcp_kms: - projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey azure_keyvault: - https://vault.url/keys/key-name/key-version ``` -------------------------------- ### AWS KMS Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using AWS KMS master keys. Specify the AWS profile to use for these keys. ```yaml creation_rules: - kms: - arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d aws_profile: foo ``` -------------------------------- ### Add PGP Key and Rotate Data Key Source: https://getsops.io/docs/usage/key-management Rotate the data encryption key and add a new PGP key to the SOPS file simultaneously using the `rotate` command with `--add-pgp` flag. The `-i` flag modifies the file in place. ```bash # add a new pgp key to the file and rotate the data key $ sops rotate -i --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml ``` -------------------------------- ### Edit and Encrypt a File with SOPS Source: https://getsops.io/docs/usage/first-steps Use 'sops edit' to open a file for editing. If the file does not exist, it will be created and encrypted. SOPS waits for the editor to close before re-encrypting. ```bash $ sops edit mynewtestfile.yaml mynewtestfile.yaml doesn't exist, creating it. please wait while an encryption key is being generated and stored in a secure fashion file written to mynewtestfile.yaml ``` -------------------------------- ### Encrypt File using GCP KMS Source: https://getsops.io/docs/usage/identities/google-cloud-kms Encrypt a file using SOPS with a specified GCP KMS ResourceID. The encrypted output is redirected to a new file. ```bash $ sops encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml ``` -------------------------------- ### GCP KMS Creation Rule Source: https://getsops.io/docs/reference Defines a creation rule for SOPS using GCP KMS ResourceIDs. Provide the full resource identifier for the key. ```yaml creation_rules: - gcp_kms: - projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey ``` -------------------------------- ### Specify Different GPG Executable Source: https://getsops.io/docs/usage/identities/pgp Set the SOPS_GPG_EXEC environment variable in your shell configuration (e.g., ~/.bashrc) to use a custom GPG client wrapper instead of the default 'gpg' executable. ```bash SOPS_GPG_EXEC = 'your_gpg_client_wrapper' ``` -------------------------------- ### Decrypt File with Azure KMS Source: https://getsops.io/docs/usage/identities/azure-kms Decrypt a file previously encrypted with Azure Key Vault using SOPS. ```bash $ sops decrypt test.enc.yaml ``` -------------------------------- ### Decrypt a File with SOPS Source: https://getsops.io/docs/usage/common-operations Decrypt an existing encrypted file using the `sops decrypt` command. Provide the path to the encrypted file. ```bash $ sops decrypt /path/to/new/encrypted/file.yaml ``` -------------------------------- ### Encrypt File with Azure KMS Source: https://getsops.io/docs/usage/identities/azure-kms Encrypt a file using SOPS with an Azure Key Vault key. You can specify the full key identifier including the version, or omit the version to use the latest key. ```bash $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml ``` ```bash $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/ test.yaml > test.enc.yaml ``` -------------------------------- ### Authenticate with GCP KMS using Application Default Credentials Source: https://getsops.io/docs/usage/identities/google-cloud-kms Log in to your Google Cloud account to enable Application Default Credentials. This method is preferred over using OAuth 2.0 tokens. ```bash $ gcloud auth login ``` ```bash $ gcloud auth application-default login ``` -------------------------------- ### Encrypt File using Specific Vault Transit Key Source: https://getsops.io/docs/usage/identities/hashicorp-vault-openbao Encrypt a file using a specific encryption key stored in HashiCorp Vault's transit engine. The VAULT_ADDR environment variable must be set. ```bash $ sops encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml ``` -------------------------------- ### Update SOPS Keys from .sops.yaml Source: https://getsops.io/docs/usage/key-management Use the `sops updatekeys` command to apply key changes defined in the `.sops.yaml` file to an encrypted file. SOPS will prompt for confirmation unless the `-y` flag is used. ```bash $ sops updatekeys test.enc.yaml ```