digitalundso

Managing secrets with style and SOPS

April 22, 2025

Sooner or later you will face the problem to store secrets in your IaC-repo. And maybe you’re also hosting this repo on a public git-Server like codeberg.org. Is it a bad idea to store secrets in plain text in a public repository? Hell yes! But there are a lot of solutions to this problem.

One solution I like to use is SOPS. SOPS itself is not an encryption algorithm or encryption tool itself but rather uses different existing encryption tools like PGP, age, OpenBao/Hashicorp Vault, Azure Key Vault, GCP KMS or AWS KMS to encrypt YAML, JSON, ENV, INI or binary file formats. One thing to keep in mind is that SOPS only encrypts the value part of a key-value pair! This reflects in the use of the before mentioned file formats.

SOPS & age

As mentioned, SOPS can use different encryption algorithms. One of those is age, “[..] a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability."

$ age-keygen -o age-key.txt

This will create a file called age-key.txt that contains the public and private part of your new age encryption key. You can share the public part of your key much like a public SSH key but more on that later.

SOPS & OpenBao

Ansible

Using SOPS without a Ansible module

In case of a dynamic Ansible inventory, the SOPS module is not of much help here. Due to the fact, that modules are only used at the role or play level, anything before can’t benefit from features of the module.

Blockquote

And bold, italics, and even *italics and later bold*. Even strikethrough. A link to somewhere.

And code highlighting:

var foo = 'bar';

function baz(s) {
   return foo + ':' + s;
}

Or inline code like var foo = 'bar';.

Or an image of bears

bears

The end …