SOPS
CLI tool for encrypting structured files (YAML, JSON, ENV) in-place — the GitOps standard for secrets-in-Git.
Overview
SOPS (Secrets OPerationS) encrypts values only in structured files, leaving keys/structure intact for Git diffability. It supports multiple key backends (age, AWS KMS, GCP KMS, Azure KV, Vault Transit) and is the standard way to store encrypted secrets in Git for GitOps workflows (Flux, ArgoCD). It is a CNCF Sandbox project.
Key Facts
| Attribute |
Detail |
| Repository |
github.com/getsops/sops |
| Stars |
~17k+ ⭐ |
| Language |
Go |
| License |
MPL 2.0 |
| Governance |
CNCF Sandbox |
| Recommended Backend |
age (over PGP) |
Evaluation
| Pros |
Cons |
| Encrypts values only — Git-diffable |
No centralized secret management |
| Multiple KMS backends (age, AWS, GCP, Azure) |
Key distribution is manual |
| Perfect for GitOps (Flux kustomize-controller) |
No dynamic secrets |
| In-place editing (decrypt → edit → re-encrypt) |
No audit logging |
.sops.yaml for path-based rules |
No access control beyond key possession |
| CNCF Sandbox, wide adoption |
|
How It Works
flowchart LR
subgraph Encrypt["Encryption"]
Plain["secrets.yaml\n(plaintext)"]
SOPS_E["sops --encrypt"]
Enc["secrets.yaml\n(values encrypted,\nkeys visible)"]
end
subgraph Git_S["Git Repository"]
Stored["secrets.yaml\n(encrypted)"]
end
subgraph Decrypt["Decryption"]
SOPS_D["sops --decrypt"]
Decrypted["secrets.yaml\n(plaintext)"]
end
Plain --> SOPS_E --> Enc --> Stored
Stored --> SOPS_D --> Decrypted
style Enc fill:#2e7d32,color:#fff
style Stored fill:#1565c0,color:#fff
Supported Backends
| Backend |
Use Case |
| age |
✅ Recommended — simple, modern, no keyring complexity |
| AWS KMS |
Cloud-native, IAM-integrated |
| GCP KMS |
Cloud-native, IAM-integrated |
| Azure Key Vault |
Cloud-native, Azure AD-integrated |
| HashiCorp Vault Transit |
Vault-managed key encryption |
| PGP |
Legacy — complex keyring management |
Sources