Analysis updated 2026-06-21
Store production database passwords and API keys encrypted inside your infrastructure repo alongside the code that uses them.
Rotate encryption keys for secrets files without re-sharing credentials with teammates.
Decrypt secrets at deploy time inside a CI/CD pipeline using a cloud KMS key the pipeline can access.
Edit encrypted YAML config files directly in your normal editor with a single sops edit command.
| getsops/sops | dgraph-io/dgraph | henrygd/beszel | |
|---|---|---|---|
| Stars | 21,702 | 21,669 | 21,644 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | moderate | easy |
| Complexity | 3/5 | 4/5 | 2/5 |
| Audience | ops devops | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires access to a supported key service such as AWS KMS, GCP KMS, age, or PGP to encrypt and decrypt files.
SOPS, short for Secrets OPerationS, is a command-line tool for safely keeping configuration secrets, passwords, API keys, certificates, inside ordinary text files that you can commit to a code repository. The problem it solves is that real applications need these values in files like YAML, JSON, ENV, INI, or binary blobs, but checking those files in unencrypted leaks the secrets, and encrypting the whole file as one opaque blob makes diffs and code review unreadable. SOPS encrypts only the values, leaving the keys and overall structure visible, so a teammate can see that there is a "db.password" field and how it relates to neighbouring settings without ever seeing its cleartext contents. The way it works is described in the README. Each secret value is wrapped with AES-256-GCM, and the underlying data key used for that encryption is itself encrypted once per recipient using one or more external key services: AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, the age encryption tool, or PGP. Each recipient's wrapped copy of the key is stored in a "sops" section at the bottom of the file. As long as one of those methods is still usable, the file can be decrypted, which makes key rotation and multi-team access straightforward. The everyday workflow is essentially one command, "sops edit", which decrypts the file into your usual editor, watches for changes, and re-encrypts on save. There is also a Go library for decrypting from inside another application. You would use SOPS to keep production credentials in git alongside the infrastructure code that needs them, with permissions enforced by the cloud key service rather than by ad-hoc sharing. It is written in Go.
SOPS encrypts only the secret values inside YAML, JSON, and ENV files, not the whole file, so you can safely commit credentials to a code repository while keeping the structure readable.
Mainly Go. The stack also includes Go, AWS KMS, GCP KMS.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.