Security: Encrypt Secrets Locally with Age and SOPS
·2 mins
Overview #
SOPS (Secrets OPerationS) combined with age encryption provides a simple, secure way to encrypt sensitive files in Git repositories while keeping them human-readable and version-controlled.
Why SOPS + Age? #
- Age: Modern, simple encryption tool - no complex key management
- SOPS: Encrypts only values, leaving keys readable for diffs/merges
- Git-friendly: Changes show up cleanly in version control
- Auditable: See what changed without decrypting files
Quick Setup #
1. Install Tools #
# Install age
apt install age # or brew install age
# Install sops
brew install sops # or download from GitHub release
2. Generate Age Key #
age-keygen -o ~/.config/sops/age/keys.txt
# Save the public key (age1...)
3. Configure SOPS #
Create .sops.yaml in your repo root:
creation_rules:
- path_regex: .*secret.*\.yaml$
age: age1nav5lwzedca5umrg0sl3jqwanl50fq3fvdwsrvmwarze4g3jr4yqprgm2g
encrypted_regex: ^(data|stringData)$
Usage #
Encrypt a File #
sops --encrypt --in-place secret.yaml
Edit Encrypted Files #
sops secret.yaml # Opens in editor, auto-encrypts on save
Decrypt for Viewing #
sops -d secret.yaml
Example #
Before encryption:
apiVersion: v1
kind: Secret
stringData:
token: ghp_secrettoken123
After encryption:
apiVersion: v1
kind: Secret
stringData:
token: ENC[AES256_GCM,data:kWMK...]
sops:
age:
- recipient: age1nav5lwz...
Automation #
Ensure secrets are always encrypted before commits, see: Git: Ensuring Secret Files Are Encrypted Before Commits
Security Notes #
- Never commit
~/.config/sops/age/keys.txt(private key) - Backup your age key securely
- Share only the public key with team members
- Rotate keys if compromised