sops
Encrypted file editor supporting YAML, JSON, ENV, INI, and binary formats with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP encryption
SOPS is a command-line editor for encrypted configuration files that supports multiple file formats (YAML, JSON, ENV, INI, and binary) and integrates with various key management services. It encrypts files using AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age encryption, and PGP keys. The tool enables transparent editing of encrypted files by automatically decrypting them for editing and re-encrypting when saved.
The primary workflow involves running sops edit <file> which opens the decrypted file in your configured editor, then automatically re-encrypts it upon saving. SOPS stores encryption keys redundantly across multiple key management systems, ensuring data remains accessible as long as at least one key method remains available. Files can be decrypted for output using sops decrypt <file> or used programmatically through its Go library.
SOPS targets developers and operations teams managing sensitive configuration data like API keys, database credentials, and certificates. It supports flexible key management through environment variables (SOPS_KMS_ARN, SOPS_PGP_FP, SOPS_AGE_RECIPIENTS) and configuration files (.sops.yaml) that define encryption rules per file or directory. The tool handles credential sourcing automatically for cloud providers and supports both interactive editing and CI/CD pipeline integration.
Installation
# via Go
git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ && cd $GOPATH/src/github.com/getsops/sops/ && make install
