What is Sops?

The official description is pretty and precise and is:

SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

More simply it can help you to store sensitive data in a git repository in a secure way.

Requirements

In this tutorial, we’ll use Linux and GPG, but don’t worry if you’re on a different operating system. You can find similar or equivalent tools to accomplish the same tasks.

Short Version

  1. (Optional) Generate a new GPG key:
gpg --full-generate-key
  1. Get the GPG fingerprint ID
gpg --list-keys
  1. Create the .sops.yaml in the repository with the GPG fingerprint ID for each stakeholder like below:
creation_rules:
 - pgp: 'E9336A338A5FDDED2D1CAECDEA3AC6C7D1722308'
  1. Encrypt the file using SOPS like below
sops -i -e filename_to_encrypt

Long Story

First of all, you need a PGP key to encrypt/decrypt the data and you need the fingerprint for each team member or tool. If you already have it, you don’t need to generate a new one.

(Optional) Generate PGP Key

In case you want to generate it, you can do that using this command below:

gpg --full-generate-key

While there are a few options, I recommend sticking with RSA for its balance of security and compatibility.

Please select what kind of key you want:
 (1) RSA and RSA
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
 (9) ECC (sign and encrypt) *default*
 (10) ECC (sign only)
 (14) Existing key from card
Your selection? 1                                           <---- Select 1

You have the flexibility to choose any key bit size you prefer. That said, I recommend going with 4096 bits for optimal security.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096                       <---- Insert 4096

Please select your desired expiration date from the options below.

Please specify how long the key should be valid.
 0 = key does not expire
 <n>  = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for?

Provide your complete name, the email address associated with your GitHub account, and a short note about what this key is for.

Real name: <YOUR NAME OR THE ACCOUNT NAME> 
Email address: <YOUR EMAIL>
Comment: <A PERSONAL COMMENT FOR THIS KEY>

Next, you’ll be prompted to confirm the key generation. Before you type the key to confirm, create a strong password/passphrase for your key.

Get PGP Fingerprint

You need to get the PGP fingerprint, you can get it using:

gpg --list-keys

It will printed after the second line for each key, below is an example:

GPG KeyID

Collect the fingerprints of each stakeholder that can be decrypted and encrypt the data.

Please keep in mind: how encrypting the data needs the public key for each stakeholder, you can import it using:

pgp --import ...

Create Sops Configuration

Jump into the git repository and create the sops configuration.

More specifically you need to create a file named .sops.yaml in the project root directory.

Create a file with this content, like:

creation_rules:
 - pgp: >-
 E9336A338A5FDDED2D1CAECDEA3AC6C7D1722308,
 A....

Insert all the fingerprints for each stakeholder.

Encrypt and decrypt data

You can encrypt the data using this command below:

sops --in-place --encrypt <file path>

The content will be transformed into a YAML.

Below is a quick example of the content:

GPG KeyID

To decrypt the data you can use the command:

sops --in-place --decrypt <file path>

For more information, configuration, and documentation you can find https://github.com/getsops/sops/.