← knowledge.oriz.in

SOPS + Age Secrets Encryption

service secretsencryptionsopsagesecuritygitops

SOPS + Age Secrets Encryption

Project Status — NOT Abandoned

SOPS was created at Mozilla in 2015 by Adrian Utrilla and Julien Vehent. It was donated to the CNCF as a Sandbox project in 2023 and is now actively maintained by a new group of maintainers at getsops/sops (github.com/getsops/sops). The old mozilla/sops repo redirects there.

Yes, you should use it. It is under active CNCF stewardship, the GitOps standard for secret management.

How SOPS + Age Work Together (Envelope Encryption)

Plaintext File
      │
      ▼
[1] Generate random 256-bit Data Encryption Key (DEK)
      │
      ├──► [2] Encrypt FILE content with AES-256-GCM using DEK
      │
      └──► [3] Encrypt DEK with MASTER KEYS (Age, KMS, PGP…)
                   │
                   └──► Stored in file's `sops` metadata block
  1. SOPS generates a unique 256-bit data key per file
  2. File content is encrypted with AES-256-GCM using that data key
  3. The data key is encrypted by Age (using X25519 + ChaCha20-Poly1305) and stored in the file's metadata

Age is by Filippo Valsotta (FiloSottile/age) — a modern replacement for PGP/GPG. Keys are single-line strings, trivial to store in password managers or CI secrets.

Why SOPS + Age?

We use SOPS + Age as our primary secret encryption mechanism because it offers the ultimate combination of security, portability, and zero-cost/zero-card constraints:


Why Age Keyring over Alternatives?

sops supports multiple backends. We strictly use Age:

Comparison Table

Tool Encrypts Diffable Infra Needed GitOps Friendly
SOPS + Age Values only Yes None Excellent
Sealed Secrets Whole k8s Secret No Cluster controller K8s only
External Secrets At runtime N/A Vault/KMS + controller Yes, online only
git-crypt Whole files No GPG keyring Limited