sops-encryption
SKILL.md
SOPS Encryption
Encrypt secrets in configuration files while keeping structure visible.
When to Use This Skill
Use this skill when:
- Encrypting secrets in Git
- Implementing GitOps with secrets
- Managing Kubernetes secrets as code
- Encrypting configuration files
Prerequisites
- SOPS installed
- KMS access (AWS, GCP, Azure) or PGP key
Installation
# macOS
brew install sops
# Linux
wget https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64
chmod +x sops-v3.8.0.linux.amd64
mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops
Basic Usage
# Encrypt with AWS KMS
sops --encrypt --kms arn:aws:kms:region:account:key/key-id secrets.yaml > secrets.enc.yaml
# Decrypt
sops --decrypt secrets.enc.yaml
# Edit encrypted file
sops secrets.enc.yaml
# Encrypt in place
sops --encrypt --in-place secrets.yaml
Configuration
# .sops.yaml
creation_rules:
- path_regex: .*\.prod\.yaml$
kms: arn:aws:kms:us-east-1:account:key/prod-key
- path_regex: .*\.dev\.yaml$
kms: arn:aws:kms:us-east-1:account:key/dev-key
- path_regex: .*
pgp: fingerprint
Kubernetes Integration
# encrypted secret
apiVersion: v1
kind: Secret
metadata:
name: myapp-secrets
type: Opaque
stringData:
password: ENC[AES256_GCM,data:encrypted...]
sops:
kms:
- arn: arn:aws:kms:region:account:key/key-id
# With ArgoCD
# Install ksops plugin for ArgoCD to decrypt secrets
Best Practices
- Store .sops.yaml in repository
- Use different keys per environment
- Rotate encryption keys regularly
- Never commit unencrypted secrets
- Use key aliases for readability
Related Skills
- hashicorp-vault - Centralized secrets
- argocd-gitops - GitOps integration
Weekly Installs
31
Repository
bagelhole/devop…t-skillsGitHub Stars
13
First Seen
Feb 4, 2026
Security Audits
Installed on
opencode30
claude-code29
github-copilot29
kiro-cli23
codex22
gemini-cli20