CoursesSOPSIntermediate

Formats & integrations

YAML, JSON, env, binary; tooling.

Intermediate10 min · lesson 8 of 12

SOPS is format-aware and partial-encrypts YAML, JSON, and .env and ini files natively (understanding their structure to encrypt only values), and can encrypt arbitrary binary files as an opaque blob when structure does not apply. This breadth is why it slots into so many workflows — Kubernetes manifests and Helm values (YAML), Terraform tfvars (JSON), app .env files, and dotfiles all work. The format determines whether you get the readable-structure benefit or a fully-opaque encryption.

terminal
$ sops -e --age $PUB secrets.json > secrets.enc.json # JSON: values encrypted
$ sops -e --age $PUB .env > .enc.env # env file: VALUES encrypted
$ sops -e --age $PUB --input-type binary keystore.jks > keystore.enc # opaque blob

Integrations

A rich ecosystem consumes SOPS files. Helm has a secrets plugin (helm-secrets) that decrypts SOPS values at deploy. Terraform can read SOPS-encrypted data via a provider or an external data source. Kustomize decrypts via a KSOPS generator. Flux and Argo CD decrypt SOPS natively (the GitOps lesson). And exec-env / exec-file let you inject decrypted secrets into a process’s environment for a command — sops exec-env secrets.enc.yaml ’./app’ — without ever writing plaintext to disk.

terminal
# run a process with decrypted secrets in its environment, no plaintext file on disk
$ sops exec-env secrets.enc.yaml 'node server.js'
# helm: helm secrets install app ./chart -f secrets.enc.yaml
exec-env is safer than writing a decrypted file
When feeding secrets to a process, prefer sops exec-env / exec-file (which inject decrypted values into the environment or a temp file only for the command’s lifetime) over sops -d > secrets.plain, which leaves a plaintext file on disk that can be forgotten, backed up, or committed. Minimize how long and how widely plaintext exists; the exec- helpers exist precisely to avoid a lingering decrypted file.