Download
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. For the adventurous, unstable features are available in the develop branch, which you can install from source. To use sops as a library, take a look at the decrypt package. We rewrote Sops in Go to solve a number of deployment issues, but the Python branch still exists under python-sops. We will keep maintaining it for a while, and you can still pip install sops, but we strongly recommend you use the Go version instead. If you're using AWS KMS, create one or multiple master keys in the IAM console and export them, comma separated, in the SOPS_KMS_ARN env variable. It is recommended to use at least two master keys in different regions. If you want to use PGP, export the fingerprints of the public keys, comma separated, in the SOPS_PGP_FP env variable.
Features
- Editing will happen in whatever editor is set to, or, if it's not set, in vim
- A copy of the encryption/decryption key is stored securely in each KMS and PGP block
- As long as one of the KMS or PGP method is still usable, you will be able to access your data
- sops encrypted files contain the necessary information to decrypt their content
- All a user of sops needs is valid AWS credentials and the necessary permissions on KMS keys
- Encrypting/decrypting with GCP KMS requires a KMS ResourceID
Project Samples
