https://github.com/getsops/sops
##install sops
# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
# Move the binary in to your PATH
mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
# Make the binary executable
chmod +x /usr/local/bin/sops
pip install age
Per default, sops encryption/decryption will search the key pairs file in ./age/keys.txt
mkdir -p age
pyage generate > age/keys.txt
The file can be located elsewhere
export SOPS_AGE_KEY_FILE=/tmp/keys.txt
.sops.yaml defines which parts of your input file will be encrypted.
Per default sops will encrypt ALL values in a yaml file, but you might need a partial encryption like, skipping specific fields of the yaml file that need to stay clear.
the .sops.yaml can be located anywhere in the project and will be detected to encrypt/decrypt recursively all files in current and subfolder content.
my-project/
│
├── secrets/
│ ├── .sops.yaml ✅ <- will be automatically detected
│ └── secrets.yaml
.sops.yaml :
creation_rules:
- path_regex: '.*\.yaml$'
encrypted_regex: '^(data|stringData)$'
age: >-
age1xxxxxxxxxxxxxxxxxxx,
age1yyyyyyyyyyyyyyyyyyy
other example
creation_rules:
- path_regex: '.*\.yaml$'
encrypted_regex: '^(data|stringData)$'
age: >-
age1xxxxxxxxxxxxxxxxxxx
age1xxxx and age1yyyyy are public keys, useful of encrypt data.
#sops will use .sops.yaml files containing public keys to encrypt files
sops -e secrets.yaml > secrets.enc.yaml
#OR
sops -e --age $(cat age/keys.txt | grep age1 | sed -e 's/^# *//g') secrets.yaml > secrets.enc.yaml
- You need the private key which is contained in
keys.txt - Per default location :
./age/keys.txt - Changing default location :
export SOPS_AGE_KEY_FILE=/tmp/keys.txt
#sops will use .sops.yaml files containing public keys to encrypt files
sops -d --age $(cat age/keys.txt | grep age1 | sed -e 's/^# *//g') secrets.enc.yaml
#OR
sops -d secrets.enc.yaml