SOPS — How It Works¶

Envelope encryption, value-only encryption model, and KMS integration.

Encryption Model¶

SOPS uses envelope encryption: a data encryption key (DEK) encrypts the file values, and the DEK itself is encrypted by the master key (age, KMS, etc.).

flowchart TB
    subgraph File["Encrypted File"]
        Meta["sops metadata\n(encrypted DEK, key fingerprints)"]
        Keys["YAML/JSON keys\n(plaintext)"]
        Values["Values\n(AES-256-GCM encrypted)"]
    end

    subgraph Master["Master Key Layer"]
        Age["age key"]
        KMS["AWS/GCP KMS"]
        VaultT["Vault Transit"]
    end

    Master -->|"encrypt DEK"| Meta
    Meta -->|"DEK decrypts"| Values

    style Values fill:#c62828,color:#fff
    style Keys fill:#2e7d32,color:#fff

What Gets Encrypted¶

# Before encryption
apiVersion: v1
kind: Secret
metadata:
  name: myapp          # ← NOT encrypted (structure visible)
data:
  username: admin      # ← value ENCRYPTED
  password: s3cr3t     # ← value ENCRYPTED

# After: sops --encrypt
apiVersion: v1
kind: Secret
metadata:
  name: myapp          # ← still plaintext (keys visible)
data:
  username: ENC[AES256_GCM,data:abc123...]  # ← encrypted
  password: ENC[AES256_GCM,data:xyz789...]  # ← encrypted
sops:
  age:
    - recipient: age1abc...
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        ...encrypted DEK...

Sources¶

SOPS Design