SOPS: Simple And Flexible Tool For Managing Secrets

Decrypt a file Encrypt a file using AWS Encrypt a file using GCP Encrypt a file using Azure Encrypt a file using Age Encrypt a file using PGP Edit encrypted file Edit decrypted file

Key Groups

By default, SOPS encrypts the data key for a file with each of the master keys, such that if any of the master keys is available, the file can be decrypted. However, it is sometimes desirable to require access to multiple master keys in order to decrypt files. This can be achieved with key groups.


Sometimes, users want to be able to tell what files were accessed by whom in an environment they control. For this reason, SOPS can generate audit logs to record activity on encrypted files. When enabled, SOPS will write a log entry into a pre-configured PostgreSQL database when a file is decrypted.

Key Service

There are situations where you might want to run SOPS on a machine that doesn't have direct access to encryption keys such as PGP keys. The sops key service allows you to forward a socket so that SOPS can access encryption keys stored on a remote machine.


The security of the data stored using SOPS is as strong as the weakest cryptographic mechanism. Values are encrypted using AES256_GCM which is the strongest symmetric encryption algorithm known today. Data keys are encrypted in either KMS, which also uses AES256_GCM, or PGP which uses either RSA or ECDSA keys.