sops
Editor for encrypted files supporting YAML, JSON, ENV, INI formats with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP encryption
SOPS (Secrets OPerationS) is a command-line editor for encrypted files that supports multiple file formats (YAML, JSON, ENV, INI, and binary) and encryption backends. It integrates with cloud key management services including AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS, as well as age and PGP for encryption operations.
The tool handles encryption and decryption transparently, allowing users to edit encrypted files as if they were plaintext. When you run sops edit myfile.yaml, it decrypts the file, opens it in your configured editor, then re-encrypts and saves it when you're done. Each encrypted file contains metadata blocks that store encrypted copies of the data encryption key for each configured encryption method, ensuring redundancy and access control.
SOPS is designed for developers and operations teams managing secrets in infrastructure-as-code workflows. It supports configuration via environment variables (like SOPS_KMS_ARN for AWS KMS keys or SOPS_AGE_RECIPIENTS for age encryption), configuration files (.sops.yaml), and can decrypt files in a cat-like fashion using sops decrypt. The tool also provides a Go library for programmatic integration into other applications.
Installation
# via Go Install
mkdir -p $GOPATH/src/github.com/getsops/sops/ && git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ && cd $GOPATH/src/github.com/getsops/sops/ && make install
