What is a secret? Some things you want to tell everyone, such as: We are the partner for data-driven work. Other things you prefer not to tell everyone, such as the PIN code of your bank card.
In computer systems, “secrets” are confidential pieces of information. For example: – The access password for your database – The username of your SaaS system Secrets belong to your software, but you usually want to store them in a different place. You would not leave the key of your safe hanging on the safe itself. An interesting idea is that you can cut the key of your safe into 100 pieces and still keep those pieces next to the safe. This way, the key is nearby, but you need to know how to put the pieces together before you can use it.
In practice, we use two systems for this: HashiCorp Vault or OpenBao () (a digital safe), and SOPS (). This blog post continues with SOPS. SOPS, also known as “Secret OPerationS”, is a project from Mozilla. SOPS encrypts sensitive data using one or more keys. This makes the data unreadable for both humans and machines. Do you want to work together with multiple people who need access to the same sensitive data? SOPS allows you to include multiple decryption keys inside the files.
1.Put your decryption key in a configuration file. For example, you can add the public part of your SSH key there.
# .sops.yaml
# Create a decryption key, for example an SSH key, and store it in a .sops.yaml file.
creation_rules:
- path_regex: \.(env|yml|yaml|pem)$
age: >-
ssh-ed25519 ........ # Public key of user 1 with permission to decrypt.
ssh-ed25519 ........ # Public key of the machine where you want to deploy it.
...
2.Encrypt your file
sops edit my_secrets.yaml
hello: Welcome to SOPS! Edit this file as you please!
example_key: example_value
# Example comment
example_array:
- example_value1
- example_value2
example_number: 1234.56789
example_booleans:
- true
- false
3.Your file is automatically saved with encryption. You can still read the keys, for example example_array, but you cannot read the data.
hello: ENC[AES256_GCM,data:FfadDI+dd1zsMJR9po/rv4Z3g18tY6hubPd/7vMmlW3IqBohP+xpY6MMa6qfDA==,iv:U1ufW9jgiKJrSG80bd4SuImWpbpgsPJf6biww/FFMkM=,tag:LOTPo27w/omFXyyTS2O7MQ==,type:str]
example_key: ENC[AES256_GCM,data:9GN+nyiGmBMF2aOnoyQEgtD/,iv:mjG49EK3XaJ/kha4cYTM5NoOHdcClI3LP/JVOpOx1cs=,tag:4rPHJoJXgGW5UY1MYznMMA==,type:str]
#ENC[AES256_GCM,data:pAqrTMufIvKHq2NdZoM9mw==,iv:6JJjV5+di0kXR4bm1SVmi7R3NfRZZ8/F5YX5kBz8phk=,tag:p9To2T06PiRMv7zmxfL/ug==,type:comment]
example_array:
- ENC[AES256_GCM,data:mdg5RoR2XctOHcT+CzI=,iv:V9ONFXETKkmaTNtJbJY2Sy8ha3YFe286zEur/m0wn9c=,tag:KEqBACJpZXLJVhCxlgeD6w==,type:str]
- ENC[AES256_GCM,data:3nacSOHMrASRJXiP+qA=,iv:JRae/zGftxsme10+BOUsYTnk4cvVikq0/D8RvQ/GQn4=,tag:kaUEj2cecJ2P7232sVuvGg==,type:str]
example_number: ENC[AES256_GCM,data:KKfW9ubiYpuSaw==,iv:At7NtpbD5xzxBKyhmQ4EnBXgE19XAAvZDB3lynAw7to=,tag:3a8KcPRUjlakc3VE3+/69Q==,type:float]
example_booleans:
- ENC[AES256_GCM,data:iOl2Pw==,iv:aDhWCvWs1EAq8txHLSvhmLzbNyIFgPB6rrCh92tAg9I=,tag:YmlzXdi5Cr8Drap7IHhgzQ==,type:bool]
- ENC[AES256_GCM,data:xbIdH+o=,iv:QpFg+luwyrjzbdkQiTLkKEIihNXxHWUNjbv3xLp+zbo=,tag:79eHsgeyQhBHY7DmAN45bg==,type:bool]
sops:
age:
- recipient: ssh-ed25519 ...
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
...
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-16T14:58:05Z"
mac: ENC[AES256_GCM,data:kyWm9uKt7foMzWEM3dq23124GFGTOx011bT5ysqXAW+1X+buJwg0kKDexs3pP3u3T0wsCFYxLAuUwCvGH4BK2xeNKN32ruOHpHuQUourUPao/IC9EZ5v8ctb7w9b1ZuX6gJUNBqHasdsdqRRTQ039fwsMFjepjqMBG8s9LR+w4RPlmG634=,iv:8tSCM6l8BvStSRzalCl/Gm5L3c2DoF0LXtYJN/neETE=,tag:+fZhW0SXFvvZ/aWRw04oTA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0
4.You can safely share this file. It is completely useless without the key.
5.Another user with the correct key can easily decrypt the file using /co.
sops decrypt my_secrets.yaml
6.Do you not have the correct permissions? Then SOPS will let you know.
sops decrypt my_secrets.yaml
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
ssh-ed25519 ... : FAILED
- | failed to create reader for decrypting sops data key with
| age: no identity matched any of the recipients. Did not find
| keys in locations 'SOPS_AGE_SSH_PRIVATE_KEY_FILE',
| '/home/floris/.ssh/id_rsa', 'SOPS_AGE_KEY',
| 'SOPS_AGE_KEY_FILE', and 'SOPS_AGE_KEY_CMD'.
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Would you like to learn more about encryption at rest, encryption in transit, or data security and encryption in general? Contact us now.
Do you want to make better use of your data and information? Contact us now, and learn how we can bring your organisation to the next level.