Operations¶
Scope
Production deployment patterns, operational procedures, performance tuning, and troubleshooting for SOPS.
Setup¶
Key Management¶
# Generate age key
age-keygen -o keys.txt
export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
# Or use AWS KMS
export SOPS_KMS_ARN="arn:aws:kms:us-east-1:123456789:key/uuid"
.sops.yaml Configuration¶
creation_rules:
- path_regex: \.env$
age: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- path_regex: secrets/.*\.yaml$
kms: 'arn:aws:kms:us-east-1:123:key/uuid'
- path_regex: \.json$
pgp: 'FINGERPRINT'
File Operations¶
# Encrypt
sops -e secrets.yaml > secrets.enc.yaml
# Decrypt
sops -d secrets.enc.yaml > secrets.yaml
# Edit in-place
sops secrets.enc.yaml
# Rotate keys
sops -r secrets.enc.yaml
GitOps Integration¶
# Flux Decryption Provider
flux create kustomization secrets \
--source=flux-system \
--path=./secrets \
--decryption-provider=sops \
--decryption-secret=sops-age
Common Issues¶
| Issue | Diagnosis | Fix |
|---|---|---|
| Decryption fails | Check key availability | Verify SOPS_AGE_KEY_FILE path |
| Wrong key used | Check .sops.yaml path_regex |
Fix creation_rules patterns |
| Partial encryption | Check encrypted_regex |
Configure which fields to encrypt |
Commands & Recipes¶
Setup with age¶
# Install SOPS
brew install sops # or: go install github.com/getsops/sops/v3/cmd/sops@latest
# Install age
brew install age
# Generate age key
age-keygen -o ~/.sops/key.txt
# Output: age1abc123... (this is your public key)
.sops.yaml Configuration¶
# .sops.yaml (repository root)
creation_rules:
- path_regex: secrets/production/.*\.yaml$
age: age1productionkey123...
aws_kms: arn:aws:kms:us-east-1:123456:key/abc-123
- path_regex: secrets/staging/.*\.yaml$
age: age1stagingkey456...
- path_regex: .*\.yaml$
age: age1defaultkey789...
Core Operations¶
# Encrypt a file
sops --encrypt secrets.yaml > secrets.enc.yaml
# or in-place:
sops --encrypt --in-place secrets.yaml
# Decrypt
sops --decrypt secrets.enc.yaml
# Edit in-place (decrypt → editor → re-encrypt)
sops secrets.enc.yaml
# Rotate keys (re-encrypt with new master key)
sops --rotate --in-place secrets.enc.yaml
Flux Integration¶
# Create age secret for Flux
cat ~/.sops/key.txt | kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=age.agekey=/dev/stdin
# In Kustomization, enable SOPS decryption
flux create kustomization myapp \
--source=GitRepository/myapp \
--path="./k8s" \
--prune=true \
--decryption-provider=sops \
--decryption-secret=sops-age
ArgoCD Integration¶
# ArgoCD Helm values (enable SOPS plugin)
# Use argocd-vault-plugin or ksops for ArgoCD + SOPS
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: myapp
spec:
source:
plugin:
name: ksops