type: service
status: active
timestamp: 2026-06-24
tags: [secrets, encryption, sops, age, security, gitops]

SOPS + Age Secrets Encryption

Primary file-based secrets encryption — age keys + SOPS, CNCF

SOPS + Age Secrets Encryption

Project Status — NOT Abandoned

SOPS was created at Mozilla in 2015 by Adrian Utrilla and Julien Vehent. It was donated to the CNCF as a Sandbox project in 2023 and is now actively maintained by a new group of maintainers at getsops/sops (github.com/getsops/sops). The old mozilla/sops repo redirects there.

Yes, you should use it. It is under active CNCF stewardship, the GitOps standard for secret management.

How SOPS + Age Work Together (Envelope Encryption)

Plaintext File


[1] Generate random 256-bit Data Encryption Key (DEK)

      ├──► [2] Encrypt FILE content with AES-256-GCM using DEK

      └──► [3] Encrypt DEK with MASTER KEYS (Age, KMS, PGP…)

                   └──► Stored in file's `sops` metadata block
  1. SOPS generates a unique 256-bit data key per file
  2. File content is encrypted with AES-256-GCM using that data key
  3. The data key is encrypted by Age (using X25519 + ChaCha20-Poly1305) and stored in the file’s metadata

Age is by Filippo Valsotta (FiloSottile/age) — a modern replacement for PGP/GPG. Keys are single-line strings, trivial to store in password managers or CI secrets.

Why SOPS + Age?

We use SOPS + Age as our primary secret encryption mechanism because it offers the ultimate combination of security, portability, and zero-cost/zero-card constraints:


Why Age Keyring over Alternatives?

sops supports multiple backends. We strictly use Age:

Comparison Table

ToolEncryptsDiffableInfra NeededGitOps Friendly
SOPS + AgeValues onlyYesNoneExcellent
Sealed SecretsWhole k8s SecretNoCluster controllerK8s only
External SecretsAt runtimeN/AVault/KMS + controllerYes, online only
git-cryptWhole filesNoGPG keyringLimited

Edit on GitHub · Back to index