# Secret Operations (SOPS) **SOPS is an editor for encrypted config files that encrypts the values but leaves the keys and structure in clear text, so secrets can live in Git and still be reviewed in a diff.** Go-based, CNCF Sandbox project, MPL-2.0. The trick that makes it useful: it does not encrypt the whole file. It encrypts only the *values*. That means `database_password: ENC[...]` keeps the key `database_password` readable, so version control shows *which* secret changed without anyone decrypting anything. That's the difference between an opaque encrypted blob and a reviewable secrets file. ## How it works - **Formats.** YAML, JSON, ENV, INI, and binary. - **Key backends.** Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS) plus local `age` and PGP. A data key encrypts the file; the backends wrap that data key, so multiple recipients can each decrypt. - **Workflow.** `sops file.yaml` opens it decrypted in your editor; on save it transparently re-encrypts via the configured backend. Decryption at runtime happens the same way, so apps and CI read plaintext only in memory. ## Why it matters Secrets in Git are a classic [[Software Supply Chain Security|supply-chain]] weak point. SOPS lets you keep them versioned alongside the code they configure, encrypted at rest, decryptable only by the right KMS or key holders. It's a staple of GitOps and [[DevSecOps]] pipelines for exactly that reason. Originated at Mozilla in 2015, donated to the CNCF in 2023. ## References - https://getsops.io/ - https://getsops.io/docs/ - https://getsops.io/community/ - https://github.com/getsops/sops ## Related - [[DevSecOps]] - [[Software Supply Chain Security]] - [[Zero Trust Security]] - [[Least Privilege Principle]]