In the past, I’ve used ansible secrets, hashicorp vault, etc., but this looks a lot more flexible.
Written in go, and will connect to a number of secrets managers from the major cloud providers, as well as local tools like pgp and age.
One super useful feature is the flag to only MAC the encrypted contents. This allows the rest of the file to be edited with a standard editor without worrying about re-encrypting every time. Since config files will be stored in Git for most of my use cases, I think we can rely on Git to verify the integrity of the config file.
.sops.yaml
# Encrypt only fields that contain sensitive data
creation_rules:
# For all YAML files in the repository
- path_regex: \.yaml$
# Encrypt fields with these names (case-insensitive regex)
encrypted_regex: "^(.*password.*|.*secret.*|.*key.*|.*token.*|smtp_user)$"
# Only MAC encrypted fields. This allows the rest of the file to change
# without using SOPS to edit it.
mac_only_encrypted: true