sops --encrypt Command Reference
Encrypt a secret file so it can be committed safely.
sops --encrypt (-e) encrypts the values of a structured file using a KMS, age, or PGP key, leaving keys readable. The encrypted result is safe to commit to version control.
What it does
sops --encrypt encrypts the values in a YAML, JSON, or dotenv file while keeping the structure and keys in plaintext, so diffs stay reviewable. Recipients are defined in .sops.yaml creation rules, so the right keys apply automatically by path.
Common flags and usage
- -e / --encrypt FILE: encrypt and print to stdout
- --in-place / -i: encrypt the file in place
- --kms ARN: encrypt to an AWS KMS key
- --age RECIPIENTS: encrypt to one or more age public keys
- --encrypted-regex PATTERN: only encrypt matching keys
- a .sops.yaml creation_rules block sets recipients automatically
Example
- name: Re-encrypt rotated secret
env:
AWS_REGION: us-east-1
run: |
sops --encrypt --in-place \
--kms "arn:aws:kms:us-east-1:${AWS_ACCOUNT_ID}:alias/sops" \
secrets.enc.yamlIn CI
Most encryption is done locally, but CI may re-encrypt after a key rotation or rekey. Prefer a .sops.yaml with creation_rules so recipients are consistent across the repo, and use --encrypted-regex so only secret values are sealed while structural keys stay diff-friendly.
Key takeaways
- sops --encrypt seals values while leaving keys readable for clean diffs.
- Define recipients in .sops.yaml so the correct keys apply by file path.
- Use --encrypted-regex to encrypt only secret values, not the whole file.