Skip to content
Latchkey

sops updatekeys: Rotate Recipients

sops updatekeys re-encrypts the data key of a file to whatever recipients .sops.yaml currently lists, so adding or removing a key does not require decrypting and re-encrypting the values.

When a teammate joins or a key rotates, you edit .sops.yaml then run updatekeys on each file. It touches only the encrypted data key, leaving the secret values as they were.

What it does

sops updatekeys reads the recipients from the matching creation rule in .sops.yaml and rewrites the file's key groups to match, prompting for confirmation. It needs access to a current key so it can decrypt and re-wrap the data key.

Common usage

Terminal
# after editing .sops.yaml recipients
sops updatekeys secrets.enc.yaml
# non-interactive (assume yes)
sops updatekeys -y secrets.enc.yaml

Options

FlagWhat it does
-y, --yesDo not prompt for confirmation
fileThe encrypted file(s) to update

In CI

Automate rotation by editing .sops.yaml, then running sops updatekeys -y over each secrets file in a job that has a current decryption key. Commit the result. Without -y the command waits on a prompt and hangs the runner.

Common errors in CI

"Failed to get the data key required to decrypt the SOPS file" means the runner has no current key to unwrap the data key, so it cannot re-wrap it; provide one existing recipient key. "no matching creation rules found" means the file path does not match any rule in .sops.yaml; fix the path_regex.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →