How to use SOPS + age

As we saw earlier, SOPS supports multiple formats and encryption backends. In this guide, we will focus on using SOPS with age for encrypting sensitive files like *.tfvars, terraform.tfstate, and other secrets.

Generate an age Key Pair

Windows

mkdir $env:APPDATA\sops\age
age-keygen -o $env:APPDATA\sops\age\keys.txt

macOS

mkdir -p "$HOME/Library/Application Support/sops/age"
age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt"

Linux

mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt

Grab your public key:

grep public /path/to/keys.txt
# public key: age1xxxx...

Danger

Share only the public key with collaborators.

Encrypting with sops

There are multiple ways to encrypt a file using age with SOPS:

Using the age flag

sops -e --age age1xxxx...,age1yyyy... opentofu.auto.tfvars > opentofu.auto.tfvars.enc

This encrypts the file using the provided public age keys.

Using an environment variable

export SOPS_AGE_RECIPIENTS="age1xxxx...,age1yyyy..."
sops -e opentofu.auto.tfvars > opentofu.auto.tfvars.enc

This is useful when scripting or storing your recipient key in an environment configuration.

Using sops config file

You can also specify the recipient in a .sops.yaml file in your repository:

.sops.yaml

creation_rules:
  - path_regex: \.tfvars(\.json)?$
    encrypted_regex: "^(.*)$"
    age: "age1xxxx...,age1yyyy..."

Using .sops.yaml is best for projects as it avoids setting env variables or using the age flag, enabling consistent, automatic encryption config.

The encryption method may vary, based on the file format

When encrypting files, you need to specify the input type. This is crucial for SOPS to understand how to handle the file correctly.

This is important to ensure that the file is encrypted correctly and can be decrypted later without issues.

BINARY

For binary files, you can use the default command:

sops encrypt opentofu.auto.tfvars > opentofu.auto.tfvars.enc

JSON

For JSON files, specify the input type as JSON:

sops encrypt --input-type json opentofu.auto.tfvars.json > opentofu.auto.tfvars.json.enc

YAML

For YAML files, specify the input type as YAML:

sops encrypt --input-type yaml secrets.yaml > secrets.yaml.enc

ENV

For environment variable files, specify the input type as dotenv:

sops encrypt --input-type dotenv .env > .env.enc

Decrypting with sops

Basic usage examples

View decrypted content:

sops -d opentofu.auto.tfvars.enc

Save decrypted file:

sops -d opentofu.auto.tfvars.enc > opentofu.auto.tfvars

The decryption method may vary, based on the file format

When decrypting files, you need to specify the output type. This is crucial for SOPS to understand how to handle the file correctly.

This is important to ensure that the file is decrypted correctly and can be used later without issues.

BINARY

For binary files, you can use the default command:

sops decrypt opentofu.auto.tfvars.enc > opentofu.auto.tfvars

JSON

For JSON files, specify the input and output type as JSON:

sops decrypt --input-type json --output-type json opentofu.auto.tfvars.json.enc > opentofu.auto.tfvars.json

YAML

For YAML files, specify the input and output type as YAML:

sops decrypt --input-type yaml --output-type yaml secrets.yaml.enc > secrets.yaml

ENV

For environment variable files, specify the input and output type as dotenv:

sops decrypt --input-type dotenv --output-type dotenv .env.enc > .env

Bonus: Using SSH keys to encrypt/decrypt

You can also use SSH keys for encryption and decryption. This is particularly useful if you already manage SSH keys for other purposes.

Encrypting with SSH keys

sops -e --age "$(cat ~/.ssh/id_ed25519.pub)" opentofu.auto.tfvars > opentofu.auto.tfvars.enc

Note

Only ssh-ed25519 and ssh-rsa key types are supported for encryption using SSH keys.

Decrypting with SSH keys

By default, SOPS will try to decrypt using the following SSH private keys (in order):

• ~/.ssh/id_ed25519
• ~/.ssh/id_rsa

If your private key is stored in a custom location or if you manage multiple keys, you can explicitly specify which one to use:

export SOPS_AGE_SSH_PRIVATE_KEY_FILE=~/.ssh/id_rsa
sops -d opentofu.auto.tfvars.enc > opentofu.auto.tfvars

Tip for scripting or CI/CD

To avoid setting the environment variable separately, you can combine everything in one command:

SOPS_AGE_SSH_PRIVATE_KEY_FILE=~/.ssh/id_rsa sops -d opentofu.auto.tfvars.enc > opentofu.auto.tfvars

This is especially handy in scripts or continuous deployment pipelines.

Best Practices

• Never commit decrypted files (*.tfvars, *.tfstate, secrets.json, secrets.yaml, .env etc.)
• Use .gitignore to exclude them
• Always encrypt before pushing
• Share only the public key
• Store private keys securely (e.g., in a password manager or vault)

---

References

• Using age with SOPS
• Encrypting with Mozilla SOPS and AGE
• Encrypting Secrets The GitOps Way With sops And age (YouTube)
• Protégez vos secrets DevOps avec SOPS (FR)
• Stocker des secrets dans un dépôt Git (FR)