Skip to content
Latchkey

sops exec-env: Inject Secrets Into a Process

sops exec-env decrypts a secrets file and runs a command with each key set as an environment variable, so plaintext never touches disk.

Instead of decrypting to a file, exec-env feeds the decrypted values straight into a child process environment. It keeps secrets in memory for the lifetime of that command.

What it does

sops exec-env decrypts the given file, sets each top-level key as an env var, and executes the command in {cmd} with those variables. exec-file instead writes plaintext to a temp file and substitutes its path into the command.

Common usage

Terminal
sops exec-env secrets.enc.env 'node deploy.js'
# pass the decrypted file path to a tool that wants a file
sops exec-file secrets.enc.json 'terraform apply -var-file {}'

Options

Command / flagWhat it does
exec-env <file> <cmd>Run cmd with decrypted values as env vars
exec-file <file> <cmd>Run cmd with a temp plaintext file, {} is its path
--no-fifo (exec-file)Use a regular temp file instead of a FIFO
--user <name>Drop to this user before running the command

In CI

exec-env is the cleanest way to avoid a decrypted file lingering in the workspace. Only flat, top-level string values become env vars; nested structures do not, so keep exec-env inputs flat.

Common errors in CI

"Failed to get the data key" means the decryption key is unavailable on the runner (set SOPS_AGE_KEY or KMS creds). "error building the environment: ..." usually means the file has nested values that cannot map to env vars; flatten it or use exec-file. A non-zero exit from the wrapped command propagates, which is the intended gate.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →