@@ -154,7 +154,7 @@ To decrypt a file in a ``cat`` fashion, use the ``-d`` flag:
154
154
155
155
.. code :: sh
156
156
157
- $ sops -d mynewtestfile.yaml
157
+ $ sops decrypt mynewtestfile.yaml
158
158
159
159
SOPS encrypted files contain the necessary information to decrypt their content.
160
160
All a user of SOPS needs is valid AWS credentials and the necessary
@@ -195,7 +195,7 @@ the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable:
195
195
196
196
.. code :: sh
197
197
198
- $ sops -- encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
198
+ $ sops encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
199
199
200
200
When decrypting a file with the corresponding identity, SOPS will look for a
201
201
text file name ``keys.txt `` located in a ``sops `` subdirectory of your user
@@ -245,11 +245,11 @@ sdk:
245
245
246
246
Now you can encrypt a file using::
247
247
248
- $ sops -- encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml
248
+ $ sops encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml
249
249
250
250
And decrypt it using::
251
251
252
- $ sops -- decrypt test.enc.yaml
252
+ $ sops decrypt test.enc.yaml
253
253
254
254
Encrypting using Azure Key Vault
255
255
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -319,11 +319,11 @@ from the commandline:
319
319
320
320
Now you can encrypt a file using::
321
321
322
- $ sops -- encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml
322
+ $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml
323
323
324
324
And decrypt it using::
325
325
326
- $ sops -- decrypt test.enc.yaml
326
+ $ sops decrypt test.enc.yaml
327
327
328
328
329
329
Encrypting using Hashicorp Vault
@@ -374,7 +374,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!)
374
374
$ vault write sops/keys/thirdkey type=chacha20-poly1305
375
375
Success! Data written to: sops/keys/thirdkey
376
376
377
- $ sops -- encrypt --hc-vault-transit $VAULT_ADDR /v1/sops/keys/firstkey vault_example.yml
377
+ $ sops encrypt --hc-vault-transit $VAULT_ADDR /v1/sops/keys/firstkey vault_example.yml
378
378
379
379
$ cat << EOF > .sops.yaml
380
380
creation_rules:
@@ -384,7 +384,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!)
384
384
hc_vault_transit_uri: "$VAULT_ADDR /v1/sops/keys/thirdkey"
385
385
EOF
386
386
387
- $ sops --verbose -e prod/raw.yaml > prod/encrypted.yaml
387
+ $ sops encrypt --verbose prod/raw.yaml > prod/encrypted.yaml
388
388
389
389
Adding and removing keys
390
390
~~~~~~~~~~~~~~~~~~~~~~~~
@@ -839,7 +839,7 @@ You can then decrypt the file the same way as with any other SOPS file:
839
839
840
840
.. code:: sh
841
841
842
- $ sops -d example.json
842
+ $ sops decrypt example.json
843
843
844
844
Key service
845
845
~~~~~~~~~~~
@@ -879,14 +879,14 @@ service exposed on the unix socket located in ``/tmp/sops.sock``, you can run:
879
879
880
880
.. code:: sh
881
881
882
- $ sops --keyservice unix:///tmp/sops.sock -d file.yaml`
882
+ $ sops decrypt --keyservice unix:///tmp/sops.sock file.yaml`
883
883
884
884
And if you only want to use the key service exposed on the unix socket located
885
885
in ` ` /tmp/sops.sock` ` and not the local key service, you can run:
886
886
887
887
.. code:: sh
888
888
889
- $ sops --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock -d file.yaml
889
+ $ sops decrypt --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock file.yaml
890
890
891
891
Auditing
892
892
~ ~~~~~~~
@@ -953,7 +953,7 @@ written to disk.
953
953
.. code:: sh
954
954
955
955
# print secrets to stdout to confirm values
956
- $ sops -d out.json
956
+ $ sops decrypt out.json
957
957
{
958
958
"database_password": "jf48t9wfw094gf4nhdf023r",
959
959
"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
@@ -1103,7 +1103,7 @@ Below is an example of publishing to Vault (using token auth with a local dev in
1103
1103
1104
1104
$ export VAULT_TOKEN=...
1105
1105
$ export VAULT_ADDR=' http://127.0.0.1:8200'
1106
- $ sops -d vault/test.yaml
1106
+ $ sops decrypt vault/test.yaml
1107
1107
example_string: bar
1108
1108
example_number: 42
1109
1109
example_map:
@@ -1144,23 +1144,23 @@ extension after encrypting a file. For example:
1144
1144
1145
1145
.. code:: sh
1146
1146
1147
- $ sops -e -i myfile.json
1148
- $ sops -d myfile.json
1147
+ $ sops encrypt -i myfile.json
1148
+ $ sops decrypt myfile.json
1149
1149
1150
1150
If you want to change the extension of the file once encrypted, you need to provide
1151
1151
` ` sops` ` with the ` ` --input-type` ` flag upon decryption. For example:
1152
1152
1153
1153
.. code:: sh
1154
1154
1155
- $ sops -e myfile.json > myfile.json.enc
1155
+ $ sops encrypt myfile.json > myfile.json.enc
1156
1156
1157
- $ sops -d --input-type json myfile.json.enc
1157
+ $ sops decrypt --input-type json myfile.json.enc
1158
1158
1159
1159
When operating on stdin, use the ` ` --input-type` ` and ` ` --output-type` ` flags as follows:
1160
1160
1161
1161
.. code:: sh
1162
1162
1163
- $ cat myfile.json | sops --input-type json --output-type json -d /dev/stdin
1163
+ $ cat myfile.json | sops decrypt --input-type json --output-type json /dev/stdin
1164
1164
1165
1165
YAML anchors
1166
1166
~ ~~~~~~~~~~~
@@ -1276,13 +1276,13 @@ encrypt the file, and redirect the output to a destination file.
1276
1276
1277
1277
$ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500"
1278
1278
$ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D"
1279
- $ sops -e /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml
1279
+ $ sops encrypt /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml
1280
1280
1281
1281
Decrypt the file with ``-d``.
1282
1282
1283
1283
.. code:: sh
1284
1284
1285
- $ sops -d /path/to/new/encrypted/file.yaml
1285
+ $ sops decrypt /path/to/new/encrypted/file.yaml
1286
1286
1287
1287
Encrypt or decrypt a file in place
1288
1288
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1293,9 +1293,9 @@ original file after encrypting or decrypting it.
1293
1293
.. code:: sh
1294
1294
1295
1295
# file.yaml is in cleartext
1296
- $ sops -e -i /path/to/existing/file.yaml
1296
+ $ sops encrypt -i /path/to/existing/file.yaml
1297
1297
# file.yaml is now encrypted
1298
- $ sops -d -i /path/to/existing/file.yaml
1298
+ $ sops decrypt -i /path/to/existing/file.yaml
1299
1299
# file.yaml is back in cleartext
1300
1300
1301
1301
Encrypting binary files
@@ -1322,10 +1322,10 @@ In-place encryption/decryption also works on binary files.
1322
1322
$ sha512sum /tmp/somerandom
1323
1323
9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
1324
1324
1325
- $ sops -e -i /tmp/somerandom
1325
+ $ sops encrypt -i /tmp/somerandom
1326
1326
please wait while a data encryption key is being generated and stored securely
1327
1327
1328
- $ sops -d -i /tmp/somerandom
1328
+ $ sops decrypt -i /tmp/somerandom
1329
1329
1330
1330
$ sha512sum /tmp/somerandom
1331
1331
9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
@@ -1339,7 +1339,7 @@ values, like keys, without needing an extra parser.
1339
1339
1340
1340
.. code:: sh
1341
1341
1342
- $ sops -d --extract ' [" app2" ][" key" ]' ~/git/svc/sops/example.yaml
1342
+ $ sops decrypt --extract ' [" app2" ][" key" ]' ~/git/svc/sops/example.yaml
1343
1343
-----BEGIN RSA PRIVATE KEY-----
1344
1344
MIIBPAIBAAJBAPTMNIyHuZtpLYc7VsHQtwOkWYobkUblmHWRmbXzlAX6K8tMf3Wf
1345
1345
ImcbNkqAKnELzFAPSBeEMhrBN0PyOC9lYlMCAwEAAQJBALXD4sjuBn1E7Y9aGiMz
@@ -1356,7 +1356,7 @@ them.
1356
1356
1357
1357
.. code:: sh
1358
1358
1359
- $ sops -d --extract ' [" an_array" ][1]' ~/git/svc/sops/example.yaml
1359
+ $ sops decrypt --extract ' [" an_array" ][1]' ~/git/svc/sops/example.yaml
1360
1360
secretuser2
1361
1361
1362
1362
Set a sub-part in a document tree
@@ -1439,7 +1439,7 @@ keys that match the supplied regular expression. For example, this command:
1439
1439
1440
1440
.. code:: sh
1441
1441
1442
- $ sops -- encrypt --encrypted-regex ' ^(data| stringData)$' k8s-secrets.yaml
1442
+ $ sops encrypt --encrypted-regex ' ^(data| stringData)$' k8s-secrets.yaml
1443
1443
1444
1444
will encrypt the values under the ``data`` and ``stringData`` keys in a YAML file
1445
1445
containing kubernetes secrets. It will not encrypt other values that help you to
@@ -1451,7 +1451,7 @@ that match the supplied regular expression. For example, this command:
1451
1451
1452
1452
.. code:: sh
1453
1453
1454
- $ sops -- encrypt --unencrypted-regex ' ^(description|metadata)$' k8s-secrets.yaml
1454
+ $ sops encrypt --unencrypted-regex ' ^(description|metadata)$' k8s-secrets.yaml
1455
1455
1456
1456
will not encrypt the values under the ` ` description` ` and ` ` metadata` ` keys in a YAML file
1457
1457
containing kubernetes secrets, while encrypting everything else.
0 commit comments