SOPS Encryption

SOPS (Secrets Operations) is a command-line tool developed by Mozilla that encrypts configuration files and secrets at rest in version control (Git) using cloud KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault) or PGP encryption. Unlike committing plaintext secrets, SOPS allows teams to version control encrypted secrets, maintain diffs, and manage encryption keys through cloud providers' access control. Files remain encrypted in Git; CI/CD systems decrypt them during deployment using IAM permissions. SOPS works with YAML, JSON, binary, and environment files—making it flexible for Kubernetes manifests, Terraform variables, Docker Compose configs, and application configurations. When you edit a SOPS-encrypted file, your editor decrypts it transparently, you make changes, then re-encrypts on save.