Skip to content
Latchkey

sops --encrypt Command Reference

Encrypt a secret file so it can be committed safely.

sops --encrypt (-e) encrypts the values of a structured file using a KMS, age, or PGP key, leaving keys readable. The encrypted result is safe to commit to version control.

What it does

sops --encrypt encrypts the values in a YAML, JSON, or dotenv file while keeping the structure and keys in plaintext, so diffs stay reviewable. Recipients are defined in .sops.yaml creation rules, so the right keys apply automatically by path.

Common flags and usage

  • -e / --encrypt FILE: encrypt and print to stdout
  • --in-place / -i: encrypt the file in place
  • --kms ARN: encrypt to an AWS KMS key
  • --age RECIPIENTS: encrypt to one or more age public keys
  • --encrypted-regex PATTERN: only encrypt matching keys
  • a .sops.yaml creation_rules block sets recipients automatically

Example

shell
- name: Re-encrypt rotated secret
  env:
    AWS_REGION: us-east-1
  run: |
    sops --encrypt --in-place \
      --kms "arn:aws:kms:us-east-1:${AWS_ACCOUNT_ID}:alias/sops" \
      secrets.enc.yaml

In CI

Most encryption is done locally, but CI may re-encrypt after a key rotation or rekey. Prefer a .sops.yaml with creation_rules so recipients are consistent across the repo, and use --encrypted-regex so only secret values are sealed while structural keys stay diff-friendly.

Key takeaways

  • sops --encrypt seals values while leaving keys readable for clean diffs.
  • Define recipients in .sops.yaml so the correct keys apply by file path.
  • Use --encrypted-regex to encrypt only secret values, not the whole file.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →