How to use SOPS + age
As we saw earlier, SOPS supports multiple formats and encryption backends. In this guide, we will focus on using SOPS with age for encrypting sensitive files like *.tfvars, terraform.tfstate, and other secrets.
Generate an age Key Pair
Section titled “Generate an age Key Pair”mkdir $env:APPDATA\sops\ageage-keygen -o $env:APPDATA\sops\age\keys.txtmkdir -p "$HOME/Library/Application Support/sops/age"age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt"mkdir -p ~/.config/sops/ageage-keygen -o ~/.config/sops/age/keys.txtGrab your public key:
grep public /path/to/keys.txt# public key: age1xxxx...Encrypting with sops
Section titled “Encrypting with sops”There are multiple ways to encrypt a file using age with SOPS:
Using the age flag
Section titled “Using the age flag”sops -e --age age1xxxx...,age1yyyy... opentofu.auto.tfvars > opentofu.auto.tfvars.encThis encrypts the file using the provided public age keys.
Using an environment variable
Section titled “Using an environment variable”export SOPS_AGE_RECIPIENTS="age1xxxx...,age1yyyy..."sops -e opentofu.auto.tfvars > opentofu.auto.tfvars.encThis is useful when scripting or storing your recipient key in an environment configuration.
Using sops config file
Section titled “Using sops config file”You can also specify the recipient in a .sops.yaml file in your repository:
creation_rules: - path_regex: \.tfvars(\.json)?$ encrypted_regex: "^(.*)$" age: "age1xxxx...,age1yyyy..."Using .sops.yaml is best for projects as it avoids setting env variables or using the age flag, enabling consistent, automatic encryption config.
Decrypting with sops
Section titled “Decrypting with sops”Basic usage examples
Section titled “Basic usage examples”View decrypted content:
Section titled “View decrypted content:”sops -d opentofu.auto.tfvars.encSave decrypted file:
Section titled “Save decrypted file:”sops -d opentofu.auto.tfvars.enc > opentofu.auto.tfvarsBonus: Using SSH keys to encrypt/decrypt
Section titled “Bonus: Using SSH keys to encrypt/decrypt”You can also use SSH keys for encryption and decryption. This is particularly useful if you already manage SSH keys for other purposes.
Encrypting with SSH keys
Section titled “Encrypting with SSH keys”sops -e --age "$(cat ~/.ssh/id_ed25519.pub)" opentofu.auto.tfvars > opentofu.auto.tfvars.encDecrypting with SSH keys
Section titled “Decrypting with SSH keys”By default, SOPS will try to decrypt using the following SSH private keys (in order):
~/.ssh/id_ed25519~/.ssh/id_rsa
If your private key is stored in a custom location or if you manage multiple keys, you can explicitly specify which one to use:
export SOPS_AGE_SSH_PRIVATE_KEY_FILE=~/.ssh/id_rsasops -d opentofu.auto.tfvars.enc > opentofu.auto.tfvarsBest Practices
Section titled “Best Practices”- Never commit decrypted files (
*.tfvars,*.tfstate,secrets.json,secrets.yaml,.envetc.) - Use
.gitignoreto exclude them - Always encrypt before pushing
- Share only the public key
- Store private keys securely (e.g., in a password manager or vault)