sops -d Command Reference
Decrypt a SOPS-encrypted file at deploy time.
sops -d (--decrypt) decrypts a file encrypted with SOPS using whatever key the file references (AWS KMS, age, GCP KMS, or PGP). In CI it turns committed encrypted secrets into usable values.
What it does
sops -d reads an encrypted file, resolves the data key via the configured KMS or age/PGP key, and emits the decrypted plaintext to stdout. The encrypted file is safe to commit because only authorized keys can decrypt it.
Common flags and usage
- -d / --decrypt FILE: decrypt and print to stdout
- --output FILE: write decrypted content to a file instead of stdout
- --extract '["key"]': pull a single value from structured data
- --input-type / --output-type: force json, yaml, dotenv, or binary
- export with --output-type dotenv for shell consumption
Example
- name: Decrypt secrets
env:
AWS_REGION: us-east-1
run: |
sops -d --output-type dotenv secrets.enc.env > .env
set -a && . ./.env && set +aIn CI
Grant the CI role decrypt access to the KMS key (via OIDC) or provide an age private key from a secret, then run sops -d at deploy time. Write decrypted output to a file or env rather than echoing it to logs, and delete the plaintext after use so it never lingers on the runner.
Key takeaways
- sops -d decrypts a committed encrypted file using KMS, age, or PGP.
- Grant the CI role decrypt access via OIDC; never log the plaintext.
- Write decrypted values to a file or env and clean up after the deploy.