Formats & integrations
YAML, JSON, env, binary; tooling.
SOPS is format-aware and partial-encrypts YAML, JSON, and .env and ini files natively (understanding their structure to encrypt only values), and can encrypt arbitrary binary files as an opaque blob when structure does not apply. This breadth is why it slots into so many workflows — Kubernetes manifests and Helm values (YAML), Terraform tfvars (JSON), app .env files, and dotfiles all work. The format determines whether you get the readable-structure benefit or a fully-opaque encryption.
$ sops -e --age $PUB secrets.json > secrets.enc.json # JSON: values encrypted$ sops -e --age $PUB .env > .enc.env # env file: VALUES encrypted$ sops -e --age $PUB --input-type binary keystore.jks > keystore.enc # opaque blob
Integrations
A rich ecosystem consumes SOPS files. Helm has a secrets plugin (helm-secrets) that decrypts SOPS values at deploy. Terraform can read SOPS-encrypted data via a provider or an external data source. Kustomize decrypts via a KSOPS generator. Flux and Argo CD decrypt SOPS natively (the GitOps lesson). And exec-env / exec-file let you inject decrypted secrets into a process’s environment for a command — sops exec-env secrets.enc.yaml ’./app’ — without ever writing plaintext to disk.
# run a process with decrypted secrets in its environment, no plaintext file on disk$ sops exec-env secrets.enc.yaml 'node server.js'# helm: helm secrets install app ./chart -f secrets.enc.yaml