SOPS — Operations¶
Scope
Production deployment patterns, operational procedures, performance tuning, and troubleshooting for SOPS.
Setup¶
Key Management¶
# Generate age key
age-keygen -o keys.txt
export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
# Or use AWS KMS
export SOPS_KMS_ARN="arn:aws:kms:us-east-1:123456789:key/uuid"
.sops.yaml Configuration¶
creation_rules:
- path_regex: \.env$
age: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- path_regex: secrets/.*\.yaml$
kms: 'arn:aws:kms:us-east-1:123:key/uuid'
- path_regex: \.json$
pgp: 'FINGERPRINT'
File Operations¶
# Encrypt
sops -e secrets.yaml > secrets.enc.yaml
# Decrypt
sops -d secrets.enc.yaml > secrets.yaml
# Edit in-place
sops secrets.enc.yaml
# Rotate keys
sops -r secrets.enc.yaml
GitOps Integration¶
# Flux Decryption Provider
flux create kustomization secrets \
--source=flux-system \
--path=./secrets \
--decryption-provider=sops \
--decryption-secret=sops-age
Common Issues¶
| Issue | Diagnosis | Fix |
|---|---|---|
| Decryption fails | Check key availability | Verify SOPS_AGE_KEY_FILE path |
| Wrong key used | Check .sops.yaml path_regex |
Fix creation_rules patterns |
| Partial encryption | Check encrypted_regex |
Configure which fields to encrypt |