Encrypt configuration sensibly
SOPS encrypts configuration files while keeping the structure visible. Keys are not encrypted, while values and comments are encrypted. This allows you to understand the configuration without seeing sensible values. Also commented-out secrets aren’t suddenly visible to everyone!
Various config file formats
Managing access through identities
Access to configuration is managed through identities. You can configure a set of identities that can access a file, and also require multiple identities together that a user needs access to to decrypt a file.
Works offline and online
SOPS can use offline methods (Age, PGP/GnuPG) and online methods (cloud based KMSes, secret management software) to encrypt and decrypt a configuration’s session key. You can use SOPS in cloud infrastructure and also locally for disaster recovery.
Security
The security of the data stored using SOPS is as strong as the weakest cryptographic mechanism. Values are encrypted using AES256 in GCM mode. How secure the key is stored depends on the identities used. For example, you can use hybrid post-quantum cryptographic encryption through Age.
Key stores
SOPS supports Age and PGP/GnuPG for offline identities, and Amazon AWS KMS, Google Cloud KMS, Azure KMS, HuaweiCloud KMS, HashiCorp Vault, and OpenBAO for online identities.
