SOPS — Commands & Recipes
Setup with age
# Install SOPS
brew install sops # or: go install github.com/getsops/sops/v3/cmd/sops@latest
# Install age
brew install age
# Generate age key
age-keygen -o ~/.sops/key.txt
# Output: age1abc123... (this is your public key)
.sops.yaml Configuration
# .sops.yaml (repository root)
creation_rules:
- path_regex: secrets/production/.*\.yaml$
age: age1productionkey123...
aws_kms: arn:aws:kms:us-east-1:123456:key/abc-123
- path_regex: secrets/staging/.*\.yaml$
age: age1stagingkey456...
- path_regex: .*\.yaml$
age: age1defaultkey789...
Core Operations
# Encrypt a file
sops --encrypt secrets.yaml > secrets.enc.yaml
# or in-place:
sops --encrypt --in-place secrets.yaml
# Decrypt
sops --decrypt secrets.enc.yaml
# Edit in-place (decrypt → editor → re-encrypt)
sops secrets.enc.yaml
# Rotate keys (re-encrypt with new master key)
sops --rotate --in-place secrets.enc.yaml
Flux Integration
# Create age secret for Flux
cat ~/.sops/key.txt | kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=age.agekey=/dev/stdin
# In Kustomization, enable SOPS decryption
flux create kustomization myapp \
--source=GitRepository/myapp \
--path="./k8s" \
--prune=true \
--decryption-provider=sops \
--decryption-secret=sops-age
ArgoCD Integration
# ArgoCD Helm values (enable SOPS plugin)
# Use argocd-vault-plugin or ksops for ArgoCD + SOPS
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: myapp
spec:
source:
plugin:
name: ksops
Sources