Skip to content
Latchkey

How to Encrypt Secrets With SOPS for GitOps

SOPS encrypts only the values in a secret manifest, so the file is safe to commit and Flux decrypts it with an age key at apply time.

Encrypt the Secret with sops --encrypt using an age recipient, commit the result, and configure the Flux Kustomization with decryption.provider: sops. Flux holds the private key as a cluster secret.

Steps

  • Generate an age key pair and store the private key as a cluster secret.
  • Encrypt the Secret manifest with sops --encrypt --age <pubkey>.
  • Commit the encrypted file to the GitOps repo.
  • Set spec.decryption on the Flux Kustomization.

Kustomization with decryption

clusters/prod/api.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: api
  namespace: flux-system
spec:
  interval: 5m
  path: ./apps/api
  prune: true
  sourceRef:
    kind: GitRepository
    name: deploy-config
  decryption:
    provider: sops
    secretRef:
      name: sops-age

Gotchas

  • SOPS encrypts values, not keys, so set encrypted_regex: ^(data|stringData)$ to skip metadata.
  • The sops-age secret must hold the private key under age.agekey for Flux to read it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →