SOPS (Secrets OPerationS)

SOPS (Secrets OPerationS) is an editor of encrypted files that supports YAML, JSON, ENV, INI, and BINARY formats, designed to make managing and sharing secrets safe and practical. Originally developed by Mozilla in 2015 and now maintained under the getsops organization, SOPS solves the problem of safely storing encrypted secrets in version control systems like Git, enabling teams to treat secret files (containing API keys, passwords, certificates, and configuration) as code. With over 17,000 stars as of 2026, SOPS encrypts the values of key-value pairs while leaving the keys in plaintext, making diffs and code reviews meaningful even on encrypted files. Key features include: multi-backend encryption supporting AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault Transit engine, age (a modern encryption tool by Filippo Valsorda), PGP/GnuPG, and any combination of these backends simultaneously (requiring multiple providers to decrypt, implementing a form of multi-factor key management), per-value encryption (each individual value in a YAML/JSON file is encrypted independently, enabling granular access control), encryption of entire files for binary format, MAC (Message Authentication Code) for detecting tampering of the encrypted data structure, key rotation (re-encrypting all values with new keys while preserving the structure), partial decryption (decrypting only specific keys using the --extract flag for scripts), integration with Git diffs (Git can display meaningful diffs of encrypted files showing which keys changed), integration with Helm Secrets, Terraform, Ansible, Kubernetes via Helm Secrets or Sealed Secrets, and CI/CD pipelines, and a Go library for programmatic access. SOPS is written in Go and distributed as a single binary.