SOPS: Secrets OPerationS

sops is an editor of encrypted files that supports YAML, JSON and
BINARY formats and encrypts with AWS KMS and PGP.




Download binaries and packages of the latest release from

Or, install the sops command line with:

$ go get -u

(requires Go >= 1.8)

If you don't have Go installed, set it up with:

$ {apt,yum,brew} install golang
$ echo 'GOPATH=~/go' >> ~/.bashrc
$ source ~/.bashrc
$ mkdir $GOPATH

Or whatever variation of the above fits your system and shell.

To use sops as a library, take a look at the decrypt

Questions? ping "ulfr" in #security on (use a web client like
mibbit ).

What happened to Python Sops? We rewrote Sops in Go to solve a
number of deployment issues, but the Python branch still exists under
python-sops. We will keep maintaining it for a while, and you can still
pip install sops, but we strongly recommend you use the Go version

Important information on types

YAML and JSON type extensions

sops uses the file extension to decide which encryption method to use on
the file content. YAML and JSON files are treated as trees of data, and
key/values are extracted from the files to only encrypt the leaf values.
The tree structure is also used to check the integrity of the file.

Therefore, if a file is encrypted using a specific format, it need to be
decrypted in the same format. The easiest way to achieve this is to
conserve the original file extension after encrypting a file. For

$ sops -e -i myfile.json

$ sops -d myfile.json

If you want to change the extension of the file once encrypted, you need
to provide sops with the --input-type flag upon decryption. For example:

$ sops -e myfile.json > myfile.json.enc

$ sops -d --input-type json myfile.json.enc

YAML anchors

sops only supports a subset of YAML's many types. Encrypting YAML files
that contain strings, numbers and booleans will work fine, but files
that contain anchors will not work, because the anchors redefine the
structure of the file at load time.

This file will not work in `sops`:

bill-to:  &id001
    street: |
        123 Tornado Alley
        Suite 16
    city:   East Centerville
    state:  KS

ship-to:  *id001

sops uses the path to a value as additional data in the AEAD encryption,
and thus dynamic paths generated by anchors break the authentication

JSON and TEXT file types do not support anchors and thus have no such

Top-level arrays

YAML and JSON top-level arrays are not supported, because sops needs a
top-level sops key to store its metadata. This file will not work in

  - some
  - array
  - elements

But this one will because because the sops key can be added at the same
level as the data key.

  - some
  - array
  - elements

Similarly, with JSON arrays, this document will not work:


But this one will work just fine:

  "data": [

results matching ""

    No results matching ""