Key backends: age & KMS
age, AWS/GCP/Azure KMS, PGP.
SOPS supports several key backends, and the choice is the most important security decision you make. age is a modern, simple public-key tool — easy to adopt, keys are short strings, great for small teams and getting started. Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault) keeps the master key inside the cloud provider’s HSM-backed service, so the key never exists as a file you can leak — the strongest option for teams already in a cloud. PGP/GPG is the original backend, still supported but clunkier.
Why KMS is stronger
With age, the private key is a file someone must hold — protect it, and its distribution is your job. With cloud KMS, SOPS never sees the master key: it asks KMS to decrypt the data key, and KMS enforces IAM (who may decrypt), logs every decryption, and lets you revoke access instantly. So KMS turns “keep this key file safe” into “grant these identities kms:Decrypt, and watch the audit log” — access control and auditability you cannot get from a key file. Many teams use age for local/dev and KMS for production.
# encrypt to a cloud KMS key (no key file to protect; IAM controls decrypt)$ sops -e --kms arn:aws:kms:us-east-1:...:key/abcd-1234 prod-secrets.yaml > prod.enc.yaml# decrypt requires kms:Decrypt on that key + the cloud creds — and is logged in CloudTrail