Link Search Menu Expand Document

sops Cheat Sheet

CLI

export SOPS_PGP_FP=<comma separated fingerprints>

sops <file>                            # edit encrypted file
sops -d <file>                         # decrypt file to STDOUT
sops -d --extract '["key"]["subkey"]   # decrypt only a YAML subkey 
sops -e <file>                         # encrypt a file

sops updatekeys -y <file>     # update fingerprints in encrypted file

Control encryption with .sops.yaml

Manage file groups and map them to key rings:

creation_rules:
- path_regex: '(somedir1/*.|somedir2/subdir/*.enc.yml)'
  pgp: >-
     <fp1>
     <fp2>
     ...
     
- path_regex: 'somedir3/admins/*.enc.yml'
  pgp: >-
     <fp1>
     <fp3>
     ...

Collecting all fingerprints from a directory with public keys

Hardest thing with sops is to provide the public key fingerprints:

for file in $(find $DIR -type f -regex '.*gpg.pub');
do
  fp=$(cat $file | gpg --import-options show-only --quiet | awk '(NR == 2){ gsub(/ /,""); print }');
  if [ "$(gpg --list-keys | grep ${fp} | wc -l)" = "0" ]; then
    gpg --import $file
  fi
  SOPS_PGP_FP="$SOPS_PGP_FP,$fp"
done

SOPS_PGP_FP=`echo $SOPS_PGP_FP | sed 's/^\,//g'`
export SOPS_PGP_FP