Skip to content

Commit e08d227

Browse files
committed
Use new subcommands in README and examples.
Signed-off-by: Felix Fontein <[email protected]>
1 parent 11cf377 commit e08d227

File tree

6 files changed

+35
-35
lines changed

6 files changed

+35
-35
lines changed

README.rst

Lines changed: 28 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,7 @@ To decrypt a file in a ``cat`` fashion, use the ``-d`` flag:
154154

155155
.. code:: sh
156156
157-
$ sops -d mynewtestfile.yaml
157+
$ sops decrypt mynewtestfile.yaml
158158
159159
SOPS encrypted files contain the necessary information to decrypt their content.
160160
All a user of SOPS needs is valid AWS credentials and the necessary
@@ -195,7 +195,7 @@ the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable:
195195

196196
.. code:: sh
197197
198-
$ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
198+
$ sops encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
199199
200200
When decrypting a file with the corresponding identity, SOPS will look for a
201201
text file name ``keys.txt`` located in a ``sops`` subdirectory of your user
@@ -245,11 +245,11 @@ sdk:
245245
246246
Now you can encrypt a file using::
247247

248-
$ sops --encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml
248+
$ sops encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml
249249

250250
And decrypt it using::
251251

252-
$ sops --decrypt test.enc.yaml
252+
$ sops decrypt test.enc.yaml
253253

254254
Encrypting using Azure Key Vault
255255
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -319,11 +319,11 @@ from the commandline:
319319
320320
Now you can encrypt a file using::
321321

322-
$ sops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml
322+
$ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml
323323

324324
And decrypt it using::
325325

326-
$ sops --decrypt test.enc.yaml
326+
$ sops decrypt test.enc.yaml
327327

328328

329329
Encrypting using Hashicorp Vault
@@ -374,7 +374,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!)
374374
$ vault write sops/keys/thirdkey type=chacha20-poly1305
375375
Success! Data written to: sops/keys/thirdkey
376376
377-
$ sops --encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml
377+
$ sops encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml
378378
379379
$ cat <<EOF > .sops.yaml
380380
creation_rules:
@@ -384,7 +384,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!)
384384
hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/thirdkey"
385385
EOF
386386
387-
$ sops --verbose -e prod/raw.yaml > prod/encrypted.yaml
387+
$ sops encrypt --verbose prod/raw.yaml > prod/encrypted.yaml
388388
389389
Adding and removing keys
390390
~~~~~~~~~~~~~~~~~~~~~~~~
@@ -839,7 +839,7 @@ You can then decrypt the file the same way as with any other SOPS file:
839839
840840
.. code:: sh
841841
842-
$ sops -d example.json
842+
$ sops decrypt example.json
843843
844844
Key service
845845
~~~~~~~~~~~
@@ -879,14 +879,14 @@ service exposed on the unix socket located in ``/tmp/sops.sock``, you can run:
879879
880880
.. code:: sh
881881
882-
$ sops --keyservice unix:///tmp/sops.sock -d file.yaml`
882+
$ sops decrypt --keyservice unix:///tmp/sops.sock file.yaml`
883883
884884
And if you only want to use the key service exposed on the unix socket located
885885
in ``/tmp/sops.sock`` and not the local key service, you can run:
886886
887887
.. code:: sh
888888
889-
$ sops --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock -d file.yaml
889+
$ sops decrypt --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock file.yaml
890890
891891
Auditing
892892
~~~~~~~~
@@ -953,7 +953,7 @@ written to disk.
953953
.. code:: sh
954954
955955
# print secrets to stdout to confirm values
956-
$ sops -d out.json
956+
$ sops decrypt out.json
957957
{
958958
"database_password": "jf48t9wfw094gf4nhdf023r",
959959
"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
@@ -1103,7 +1103,7 @@ Below is an example of publishing to Vault (using token auth with a local dev in
11031103
11041104
$ export VAULT_TOKEN=...
11051105
$ export VAULT_ADDR='http://127.0.0.1:8200'
1106-
$ sops -d vault/test.yaml
1106+
$ sops decrypt vault/test.yaml
11071107
example_string: bar
11081108
example_number: 42
11091109
example_map:
@@ -1144,23 +1144,23 @@ extension after encrypting a file. For example:
11441144
11451145
.. code:: sh
11461146
1147-
$ sops -e -i myfile.json
1148-
$ sops -d myfile.json
1147+
$ sops encrypt -i myfile.json
1148+
$ sops decrypt myfile.json
11491149
11501150
If you want to change the extension of the file once encrypted, you need to provide
11511151
``sops`` with the ``--input-type`` flag upon decryption. For example:
11521152
11531153
.. code:: sh
11541154
1155-
$ sops -e myfile.json > myfile.json.enc
1155+
$ sops encrypt myfile.json > myfile.json.enc
11561156
1157-
$ sops -d --input-type json myfile.json.enc
1157+
$ sops decrypt --input-type json myfile.json.enc
11581158
11591159
When operating on stdin, use the ``--input-type`` and ``--output-type`` flags as follows:
11601160
11611161
.. code:: sh
11621162
1163-
$ cat myfile.json | sops --input-type json --output-type json -d /dev/stdin
1163+
$ cat myfile.json | sops decrypt --input-type json --output-type json /dev/stdin
11641164
11651165
YAML anchors
11661166
~~~~~~~~~~~~
@@ -1276,13 +1276,13 @@ encrypt the file, and redirect the output to a destination file.
12761276
12771277
$ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500"
12781278
$ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D"
1279-
$ sops -e /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml
1279+
$ sops encrypt /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml
12801280
12811281
Decrypt the file with ``-d``.
12821282
12831283
.. code:: sh
12841284
1285-
$ sops -d /path/to/new/encrypted/file.yaml
1285+
$ sops decrypt /path/to/new/encrypted/file.yaml
12861286
12871287
Encrypt or decrypt a file in place
12881288
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1293,9 +1293,9 @@ original file after encrypting or decrypting it.
12931293
.. code:: sh
12941294
12951295
# file.yaml is in cleartext
1296-
$ sops -e -i /path/to/existing/file.yaml
1296+
$ sops encrypt -i /path/to/existing/file.yaml
12971297
# file.yaml is now encrypted
1298-
$ sops -d -i /path/to/existing/file.yaml
1298+
$ sops decrypt -i /path/to/existing/file.yaml
12991299
# file.yaml is back in cleartext
13001300
13011301
Encrypting binary files
@@ -1322,10 +1322,10 @@ In-place encryption/decryption also works on binary files.
13221322
$ sha512sum /tmp/somerandom
13231323
9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
13241324
1325-
$ sops -e -i /tmp/somerandom
1325+
$ sops encrypt -i /tmp/somerandom
13261326
please wait while a data encryption key is being generated and stored securely
13271327
1328-
$ sops -d -i /tmp/somerandom
1328+
$ sops decrypt -i /tmp/somerandom
13291329
13301330
$ sha512sum /tmp/somerandom
13311331
9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
@@ -1339,7 +1339,7 @@ values, like keys, without needing an extra parser.
13391339
13401340
.. code:: sh
13411341
1342-
$ sops -d --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml
1342+
$ sops decrypt --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml
13431343
-----BEGIN RSA PRIVATE KEY-----
13441344
MIIBPAIBAAJBAPTMNIyHuZtpLYc7VsHQtwOkWYobkUblmHWRmbXzlAX6K8tMf3Wf
13451345
ImcbNkqAKnELzFAPSBeEMhrBN0PyOC9lYlMCAwEAAQJBALXD4sjuBn1E7Y9aGiMz
@@ -1356,7 +1356,7 @@ them.
13561356
13571357
.. code:: sh
13581358
1359-
$ sops -d --extract '["an_array"][1]' ~/git/svc/sops/example.yaml
1359+
$ sops decrypt --extract '["an_array"][1]' ~/git/svc/sops/example.yaml
13601360
secretuser2
13611361
13621362
Set a sub-part in a document tree
@@ -1439,7 +1439,7 @@ keys that match the supplied regular expression. For example, this command:
14391439
14401440
.. code:: sh
14411441
1442-
$ sops --encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml
1442+
$ sops encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml
14431443
14441444
will encrypt the values under the ``data`` and ``stringData`` keys in a YAML file
14451445
containing kubernetes secrets. It will not encrypt other values that help you to
@@ -1451,7 +1451,7 @@ that match the supplied regular expression. For example, this command:
14511451
14521452
.. code:: sh
14531453
1454-
$ sops --encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml
1454+
$ sops encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml
14551455
14561456
will not encrypt the values under the ``description`` and ``metadata`` keys in a YAML file
14571457
containing kubernetes secrets, while encrypting everything else.

cmd/sops/main.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@ func main() {
124124
125125
The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
126126
or decrypting existing documents can be done with "sops file" or
127-
"sops -d file" respectively. The KMS and PGP keys listed in the encrypted
127+
"sops decrypt file" respectively. The KMS and PGP keys listed in the encrypted
128128
documents are used then. To manage master keys in existing documents, use
129129
the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
130130

examples/all_in_one/README.rst

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ In both development and production, we will be storing the secrets file unencryp
4242

4343
As peace of mind, think about this:
4444

45-
- Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops --decrypt`` as well.
45+
- Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops decrypt`` as well.
4646

4747
Files
4848
-----
@@ -69,7 +69,7 @@ For testing in a public CI, we can copy ``secret.enc.json`` to ``secret.json``.
6969

7070
..
7171
72-
For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``cp`` rather than ``sops --decrypt``.
72+
For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``cp`` rather than ``sops decrypt``.
7373

7474
For testing in a private CI where we need private information, see the `Production instructions <#production>`_.
7575

examples/all_in_one/bin/decrypt-config.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,6 @@ for file in $secret_files; do
1717
cp "$src_file" "$target_file"
1818
# Otherwise, decrypt it
1919
else
20-
sops --decrypt "$src_file" > "$target_file"
20+
sops decrypt "$src_file" > "$target_file"
2121
fi
2222
done

examples/per_file/README.rst

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ In both development and production, we will be storing the secrets file unencryp
4747

4848
As peace of mind, think about this:
4949

50-
- Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops --decrypt`` as well.
50+
- Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops decrypt`` as well.
5151

5252
Files
5353
-----
@@ -78,7 +78,7 @@ For testing in a public CI, we can copy ``config.enc`` to ``config``. The secret
7878

7979
..
8080
81-
For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``ln -s`` rather than ``sops --decrypt``.
81+
For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``ln -s`` rather than ``sops decrypt``.
8282

8383
For testing in a private CI where we need private information, see the `Production instructions <#production>`_.
8484

examples/per_file/bin/decrypt-config.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ for src_file in config.enc/*; do
2525
# If the file is our secret, then decrypt it
2626
if echo "$src_filename" | grep -E "${secret_ext}$" &&
2727
test "$CONFIG_COPY_ONLY" != "TRUE"; then
28-
sops --decrypt "$src_file" > "$target_file"
28+
sops decrypt "$src_file" > "$target_file"
2929
# Otherwise, symlink to the original file
3030
else
3131
ln -s "../$src_file" "$target_file"

0 commit comments

Comments
 (0)