sops — Simple and Flexible Secrets Management

What it is

sops (Secrets OPerationS) is a CLI tool that encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This design lets you version-control encrypted secrets in Git because diffs show which keys changed without exposing values. sops supports multiple encryption backends: age, AWS KMS, GCP KMS, Azure Key Vault, and HashiCorp Vault.

sops is for DevOps engineers and platform teams who need to store secrets alongside application code in Git without exposing sensitive values.

The project is actively maintained with regular releases and a growing user community. Documentation covers common use cases, and the open-source nature means you can inspect the source code, contribute fixes, and adapt the tool to your specific requirements.

How it saves time or tokens

Without sops, secrets live in separate vaults, environment variables, or sealed-secrets controllers. Each approach fragments configuration across multiple systems. sops keeps secrets in the same YAML files as other configuration, encrypted in place. You edit secrets with sops edit, commit the encrypted file, and decrypt at deploy time.

How to use

1. Install sops via brew or download the binary.
2. Create a .sops.yaml file specifying your encryption keys.
3. Run sops encrypt to encrypt a file or sops edit to edit secrets in your default editor.

Example

# Install sops
brew install sops

# Generate an age key
age-keygen -o key.txt
export SOPS_AGE_KEY_FILE=key.txt

# Create .sops.yaml config
cat > .sops.yaml << 'EOF'
creation_rules:
  - path_regex: secrets\.yaml$
    age: 'age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
EOF

# Encrypt a secrets file
sops encrypt secrets.yaml > secrets.enc.yaml

# Edit encrypted secrets (decrypts in editor, re-encrypts on save)
sops edit secrets.enc.yaml

# Decrypt for deployment
sops decrypt secrets.enc.yaml > secrets.yaml

Related on TokRepo

• AI Tools for Security -- Secrets management and security tools
• AI Tools for DevOps -- Infrastructure and deployment tools

Common pitfalls

• Committing the unencrypted secrets file to Git by mistake. Add the unencrypted filename to .gitignore and only commit the .enc.yaml version.
• Losing the encryption key means permanent loss of all encrypted secrets. Back up age keys or use a managed KMS service with key rotation.
• sops encrypts values but not keys. Secret names (database_password, api_key) are visible in the encrypted file. Avoid putting sensitive information in key names.

Before adopting this tool, evaluate whether it fits your team's existing workflow. Read the official documentation thoroughly, and start with a small proof-of-concept rather than a full migration. Community forums, GitHub issues, and Stack Overflow are valuable resources when you encounter edge cases not covered in the documentation.