https://github.com/mozilla/sops
Generate an age key with:
age-keygen -o <path to key file>If a key/key file is not specified when decrypting, sops will automatically look for age keys in the following locations:
- macOS:
$HOME/Library/Application Support/sops/age/keys.txt - linux:
$XDG_CONFIG_HOME/sops/age/keys.txt - Windows:
%AppData%\sops\age\keys.txt
Alternatively, you can specify the location of the age key file manually by setting the environment variable SOPS_AGE_KEY_FILE.
When defining the recipient public keys age will use to encrypt a file, there are two options:
-
Pass the public key(s) as a comma separated list in the
--ageargument:sops -a $(paste -s -d, public-age-keys.txt) -e test.env -
Pass the public key(s) as a comma separated list in the
SOPS_AGE_RECIPIENTSenvironment variable:export SOPS_AGE_RECIPIENTS=$(paste -s -d, public-age-keys.txt) sops -e test.env
-
Use a
.sops.yamlconfiguration file which defines the encryption rules. This is the method used in this repo; see the provided example.sops.yaml.
Encrypt test.env and save as sops.test.env:
sops -e test.env > sops.test.envDecrypt sops.test.env and save as test.env:
sops -d sops.test.env > test.envDecrypt sops.test.env and extract a specific value, e.g. password:
sops -d --extract '["password"]' sops.test.envDecrypt sops.test.env to a temporary file and make it's contents available for the duration of a child process:
sops exec-file sops.test.env 'wc -l {}'Decrypt sops.test.env into the environment of a child process:
sops exec-env sops.test.env 'echo $username/$password'Don't commit unencrypted secrets to git. Think ahead and use .gitignore.