Skip to content

🔑 SOPS

SOPS is used to encrypt and decrypt secrets in my homelab.

Typically, my secrets are kept in .env files that are read as environmental variables and then used my configs.

Other files are encrypted that have secrets, such as yaml config or sqlite db files.

age is my encryption of choice.

🛠 Installation

apt install sops
brew install sops

⚙ Config

🔑 Keys

~/.config/sops/age/keys.txt

(
  [ -d ~/.config/sops/age ] || mkdir -p ~/.config/sops/age
  scp [email protected]/home/nicholas/.config/sops/age/keys.txt ~/.config/sops/age/
)
(
  [ -d ~/.config/sops/age ] || mkdir -p ~/.config/sops/age
  lpass show sops-age --attach=att-2571789250549588435-38084 -q > ~/.config/sops/age/keys.txt
)

.sops.yaml

---
creation_rules:
  - filename_regex: \.yaml$
    age: 'age1x2at6wwq2gks47fsep9a25emdeqd93e3k0gfsswtmhruqrteu5jqjvy7kd'
  - filename_regex: \.db$
    age: 'age1x2at6wwq2gks47fsep9a25emdeqd93e3k0gfsswtmhruqrteu5jqjvy7kd'

📝 Usage

🔒 Encrypt

task encrypt
sops -e .env > .env.enc

🔐 Decrypt

task decrypt
sops -d --input-type dotenv --output-type dotenv .env.enc > .env

🔗 References