Skip to content
Latchkey

sops -d Command Reference

Decrypt a SOPS-encrypted file at deploy time.

sops -d (--decrypt) decrypts a file encrypted with SOPS using whatever key the file references (AWS KMS, age, GCP KMS, or PGP). In CI it turns committed encrypted secrets into usable values.

What it does

sops -d reads an encrypted file, resolves the data key via the configured KMS or age/PGP key, and emits the decrypted plaintext to stdout. The encrypted file is safe to commit because only authorized keys can decrypt it.

Common flags and usage

  • -d / --decrypt FILE: decrypt and print to stdout
  • --output FILE: write decrypted content to a file instead of stdout
  • --extract '["key"]': pull a single value from structured data
  • --input-type / --output-type: force json, yaml, dotenv, or binary
  • export with --output-type dotenv for shell consumption

Example

shell
- name: Decrypt secrets
  env:
    AWS_REGION: us-east-1
  run: |
    sops -d --output-type dotenv secrets.enc.env > .env
    set -a && . ./.env && set +a

In CI

Grant the CI role decrypt access to the KMS key (via OIDC) or provide an age private key from a secret, then run sops -d at deploy time. Write decrypted output to a file or env rather than echoing it to logs, and delete the plaintext after use so it never lingers on the runner.

Key takeaways

  • sops -d decrypts a committed encrypted file using KMS, age, or PGP.
  • Grant the CI role decrypt access via OIDC; never log the plaintext.
  • Write decrypted values to a file or env and clean up after the deploy.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →