CoursesSOPSIntermediate

Key backends: age & KMS

age, AWS/GCP/Azure KMS, PGP.

Intermediate14 min · lesson 5 of 12

SOPS supports several key backends, and the choice is the most important security decision you make. age is a modern, simple public-key tool — easy to adopt, keys are short strings, great for small teams and getting started. Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault) keeps the master key inside the cloud provider’s HSM-backed service, so the key never exists as a file you can leak — the strongest option for teams already in a cloud. PGP/GPG is the original backend, still supported but clunkier.

Choosing a key backend
simple / self-managed
age
short keys, easy, popular
PGP/GPG
original, heavier
managed / strongest
AWS/GCP/Azure KMS
key never leaves the HSM
IAM-scoped access
audited, revocable
age to start and for portability; cloud KMS when you want the key held (and access audited) by the provider.

Why KMS is stronger

With age, the private key is a file someone must hold — protect it, and its distribution is your job. With cloud KMS, SOPS never sees the master key: it asks KMS to decrypt the data key, and KMS enforces IAM (who may decrypt), logs every decryption, and lets you revoke access instantly. So KMS turns “keep this key file safe” into “grant these identities kms:Decrypt, and watch the audit log” — access control and auditability you cannot get from a key file. Many teams use age for local/dev and KMS for production.

terminal
# encrypt to a cloud KMS key (no key file to protect; IAM controls decrypt)
$ sops -e --kms arn:aws:kms:us-east-1:...:key/abcd-1234 prod-secrets.yaml > prod.enc.yaml
# decrypt requires kms:Decrypt on that key + the cloud creds — and is logged in CloudTrail
An age key file is only as safe as where you store it
age is convenient, but the private key is a file, so a leaked laptop, a key committed by accident, or a key sitting in a world-readable path exposes everything it decrypts — and there is no built-in audit of who used it. For production secrets prefer cloud KMS (key held by the provider, IAM-scoped, audited), and if you use age, treat the private key with the same care as an SSH master key: encrypted at rest, never committed, tightly held.