explaingit

getsops/sops

Analysis updated 2026-06-21

21,702GoAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

SOPS encrypts only the secret values inside YAML, JSON, and ENV files, not the whole file, so you can safely commit credentials to a code repository while keeping the structure readable.

Mindmap

mindmap
  root((SOPS))
    What it does
      Encrypt secret values
      Safe git commits
      Readable structure
    Key Services
      AWS KMS
      GCP KMS
      Azure Key Vault
      age and PGP
    Use Cases
      Secret storage
      Key rotation
      CI/CD pipelines
    File Formats
      YAML
      JSON
      ENV files
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Store production database passwords and API keys encrypted inside your infrastructure repo alongside the code that uses them.

USE CASE 2

Rotate encryption keys for secrets files without re-sharing credentials with teammates.

USE CASE 3

Decrypt secrets at deploy time inside a CI/CD pipeline using a cloud KMS key the pipeline can access.

USE CASE 4

Edit encrypted YAML config files directly in your normal editor with a single sops edit command.

What is it built with?

GoAWS KMSGCP KMSAzure Key VaultagePGP

How does it compare?

getsops/sopsdgraph-io/dgraphhenrygd/beszel
Stars21,70221,66921,644
LanguageGoGoGo
Setup difficultymoderatemoderateeasy
Complexity3/54/52/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires access to a supported key service such as AWS KMS, GCP KMS, age, or PGP to encrypt and decrypt files.

In plain English

SOPS, short for Secrets OPerationS, is a command-line tool for safely keeping configuration secrets, passwords, API keys, certificates, inside ordinary text files that you can commit to a code repository. The problem it solves is that real applications need these values in files like YAML, JSON, ENV, INI, or binary blobs, but checking those files in unencrypted leaks the secrets, and encrypting the whole file as one opaque blob makes diffs and code review unreadable. SOPS encrypts only the values, leaving the keys and overall structure visible, so a teammate can see that there is a "db.password" field and how it relates to neighbouring settings without ever seeing its cleartext contents. The way it works is described in the README. Each secret value is wrapped with AES-256-GCM, and the underlying data key used for that encryption is itself encrypted once per recipient using one or more external key services: AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, the age encryption tool, or PGP. Each recipient's wrapped copy of the key is stored in a "sops" section at the bottom of the file. As long as one of those methods is still usable, the file can be decrypted, which makes key rotation and multi-team access straightforward. The everyday workflow is essentially one command, "sops edit", which decrypts the file into your usual editor, watches for changes, and re-encrypts on save. There is also a Go library for decrypting from inside another application. You would use SOPS to keep production credentials in git alongside the infrastructure code that needs them, with permissions enforced by the cloud key service rather than by ad-hoc sharing. It is written in Go.

Copy-paste prompts

Prompt 1
I want to use SOPS to encrypt a YAML secrets file using AWS KMS. Walk me through setting up .sops.yaml and encrypting my first file.
Prompt 2
How do I use SOPS with the age encryption tool instead of AWS KMS to encrypt a JSON secrets file with no cloud dependency?
Prompt 3
Set up a workflow where my team can decrypt the same SOPS-encrypted secrets file using their individual PGP keys or cloud IAM roles.
Prompt 4
Write a shell script that uses SOPS to decrypt an ENV file and export the variables before running a deployment command.
Prompt 5
How do I rotate the data encryption key for a SOPS-encrypted file that has already been in use in production?

Frequently asked questions

What is sops?

SOPS encrypts only the secret values inside YAML, JSON, and ENV files, not the whole file, so you can safely commit credentials to a code repository while keeping the structure readable.

What language is sops written in?

Mainly Go. The stack also includes Go, AWS KMS, GCP KMS.

How hard is sops to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is sops for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub getsops on gitmyhub

Verify against the repo before relying on details.