sops -e and -d: Encrypt and Decrypt Secrets
sops -e encrypts the values (not the keys) of a YAML/JSON/env file, and sops -d decrypts them back, leaving structure readable in git.
sops (Secrets OPerationS) encrypts only the values in a structured file so diffs stay meaningful. It resolves the key from a KMS, age, or PGP recipient defined in .sops.yaml or on the command line.
What it does
sops -e reads a file and encrypts each value using the configured recipients, adding a sops metadata block. sops -d reverses it. -i edits the file in place; without it output goes to stdout.
Common usage
# encrypt to stdout, or in place with -i
sops -e secrets.yaml > secrets.enc.yaml
sops -e -i secrets.yaml
# decrypt to stdout
sops -d secrets.enc.yamlOptions
| Flag | What it does |
|---|---|
| -e, --encrypt | Encrypt the file |
| -d, --decrypt | Decrypt the file |
| -i, --in-place | Modify the file in place |
| --output <file> | Write result to a file |
| --input-type / --output-type | Force yaml, json, dotenv, or binary |
| --encrypted-regex <re> | Only encrypt keys matching the regex |
In CI
Commit the encrypted file and let the pipeline run sops -d with a key from the environment. sops uses the file extension to pick a parser; for a plain .env pass --input-type dotenv if the extension is ambiguous.
Common errors in CI
"config file not found and no keys provided through command line options" means there is no .sops.yaml and you did not pass a recipient. "Failed to get the data key required to decrypt the SOPS file" means none of the configured keys are available to the runner; check SOPS_AGE_KEY or KMS credentials. "sops metadata not found" means the file was never sops-encrypted.