age is prefered over pgp. The keydir is different depending on os. for macos:
KEYDIR=${HOME}/Library/Application\ Support/sops/age/
mkdir -p ${KEYDIR}
# note this can be set with SOPS_AGE_KEY_FILE= to a different location if required
# note this has to be keys.txt not key.txt
age-keygen -o ${KEYDIR}/keys.txt
cat keys.txt
# created: 2021-04-13T10:41:17+01:00
# public key: age1z9de3wx4d07y4w727y7lhuvez4eugg77xeee76eua4wkhw4r2vns02gksx
AGE-SECRET-KEY-<bech32-encode>create testfile
echo 'yolo' > yolo
cat yolo |age -r age1z9de3wx4d07y4w727y7lhuvez4eugg77xeee76eua4wkhw4r2vns02gksx > yolo.agedecrypt
age --decrypt -i key.txt yolo.ageintegrate with sops and yaml
echo 'password: 1234' > secrets.yaml
sops --age age1z9de3wx4d07y4w727y7lhuvez4eugg77xeee76eua4wkhw4r2vns02gksx secrets.yaml
# use env and write stdout back to same file
SOPS_AGE_RECIPIENTS=age1z9de3wx4d07y4w727y7lhuvez4eugg77xeee76eua4wkhw4r2vns02gksx sops --in-place --age secrets.yamluse default sops/age/ dir no env var required
sops -d secrets.yaml > somewhere
sops --in-place -d secrets.yamldecrypt the file back again using env var
mkdir ~/.sops/
SOPS_AGE_KEY_FILE=~/.sops/key.txt sops -d secrets.yaml # to stdoutview of the secrets.yaml
password: ENC[AES256_GCM,data:FlXFcUjxm8Xw74hPE3Vb0QNlI8bsmFI6Lt0A8FWPDGY=,iv:RspMlpN+zPcR69teuU2WsEzAK2xif4Xt0hld4pEcwHU=,tag:H1L7dr6pKsuHvJyUA2VNFg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z9de3wx4d07y4w727y7lhuvez4eugg77xeee76eua4wkhw4r2vns02gksx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
.....
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-04-13T09:55:21Z"
mac: ENC[AES256_GCM,data:mQzw2S//n71NfUKy5X4CPCtnjuXOBb+ZQEaViB9aiYix75EpGHpTYlmdwluosaQLvgROnsdxSEKCzFHgkH005QcKlSzJlOKhKy1p93ZnqOTnpZS7oTBCyi9aX3nyasgR4o5iix6xVy0EPb7QusRIbIMlkDjv1X4e5RXHNCuRNrI=,iv:OT9gyhWMJO/jGCnhjdqm4RxNOTeVF5oNMZKxfiMyq3o=,tag:Iw8y9//WnY7rKchzdnwbow==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1