https://github.com/mozilla/sops
Generate an age
key with:
age-keygen -o <path to key file>
If a key/key file is not specified when decrypting, sops
will automatically look for age
keys in the following locations:
- macOS:
$HOME/Library/Application Support/sops/age/keys.txt
- linux:
$XDG_CONFIG_HOME/sops/age/keys.txt
- Windows:
%AppData%\sops\age\keys.txt
Alternatively, you can specify the location of the age
key file manually by setting the environment variable SOPS_AGE_KEY_FILE
.
When defining the recipient public keys age will use to encrypt a file, there are two options:
-
Pass the public key(s) as a comma separated list in the
--age
argument:sops -a $(paste -s -d, public-age-keys.txt) -e test.env
-
Pass the public key(s) as a comma separated list in the
SOPS_AGE_RECIPIENTS
environment variable:export SOPS_AGE_RECIPIENTS=$(paste -s -d, public-age-keys.txt) sops -e test.env
-
Use a
.sops.yaml
configuration file which defines the encryption rules. This is the method used in this repo; see the provided example.sops.yaml
.
Encrypt test.env
and save as sops.test.env
:
sops -e test.env > sops.test.env
Decrypt sops.test.env
and save as test.env
:
sops -d sops.test.env > test.env
Decrypt sops.test.env
and extract a specific value, e.g. password
:
sops -d --extract '["password"]' sops.test.env
Decrypt sops.test.env
to a temporary file and make it's contents available for the duration of a child process:
sops exec-file sops.test.env 'wc -l {}'
Decrypt sops.test.env
into the environment of a child process:
sops exec-env sops.test.env 'echo $username/$password'
Don't commit unencrypted secrets to git. Think ahead and use .gitignore
.