Sops

Introduction

SOPS (Secrets OPerationS) is a powerful tool for managing encrypted files that supports multiple formats (YAML, JSON, ENV, INI, and BINARY) and various encryption backends including AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

Installation

Using Homebrew

# Install SOPS using Homebrew
brew install sops

Basic Usage

Setting Up the Editor

# Set VS Code as the default editor
export EDITOR="code --wait"

Editing Encrypted Files

# Edit an encrypted YAML file
sops k8s/oq/secrets.dev.yaml

Supported Formats

• YAML
• JSON
• ENV
• INI
• BINARY

Encryption Backends

• AWS KMS
• GCP KMS
• Azure Key Vault
• age
• PGP

Common Use Cases

Kubernetes Secrets Management

# Encrypt a Kubernetes secret
sops -e k8s/secrets.yaml > k8s/secrets.encrypted.yaml

# Decrypt a Kubernetes secret
sops -d k8s/secrets.encrypted.yaml > k8s/secrets.yaml

Environment Variables

# Encrypt environment variables
sops -e .env > .env.encrypted

# Decrypt environment variables
sops -d .env.encrypted > .env

Best Practices

1. Always use version control for encrypted files
2. Keep encryption keys secure
3. Use appropriate encryption backends for your environment
4. Regularly rotate encryption keys
5. Document encryption/decryption procedures
6. Use meaningful file names for encrypted files
7. Implement proper access controls
8. Regular security audits

Additional Resources

• SOPS GitHub Repository
• SOPS Documentation