sops updatekeys: Rotate Recipients
sops updatekeys re-encrypts the data key of a file to whatever recipients .sops.yaml currently lists, so adding or removing a key does not require decrypting and re-encrypting the values.
When a teammate joins or a key rotates, you edit .sops.yaml then run updatekeys on each file. It touches only the encrypted data key, leaving the secret values as they were.
What it does
sops updatekeys reads the recipients from the matching creation rule in .sops.yaml and rewrites the file's key groups to match, prompting for confirmation. It needs access to a current key so it can decrypt and re-wrap the data key.
Common usage
# after editing .sops.yaml recipients
sops updatekeys secrets.enc.yaml
# non-interactive (assume yes)
sops updatekeys -y secrets.enc.yamlOptions
| Flag | What it does |
|---|---|
| -y, --yes | Do not prompt for confirmation |
| file | The encrypted file(s) to update |
In CI
Automate rotation by editing .sops.yaml, then running sops updatekeys -y over each secrets file in a job that has a current decryption key. Commit the result. Without -y the command waits on a prompt and hangs the runner.
Common errors in CI
"Failed to get the data key required to decrypt the SOPS file" means the runner has no current key to unwrap the data key, so it cannot re-wrap it; provide one existing recipient key. "no matching creation rules found" means the file path does not match any rule in .sops.yaml; fix the path_regex.