Tools Practical By Samson Tanimawo, PhD Published Jan 29, 2026 4 min read

sops for Encrypted Secrets in Git

sops encrypts files for git storage.

Usage

SOPS (Secrets OPerationS) is a tool for encrypting secrets in git. The discipline is keeping configuration in git while protecting the secret values; SOPS encrypts the values, leaves the structure visible.

What basic usage looks like:

sops --kms key encrypts a file.: The command encrypts the file using the specified KMS key. The encrypted file can be committed; the values are protected; the structure is visible.
Key in AWS KMS or similar.: The encryption key lives in the cloud KMS. AWS KMS, GCP KMS, Azure Key Vault all are supported; the discipline integrates with cloud key management.
Encrypted file safe to commit.: The encrypted file in git is safe. Only those with KMS access can decrypt; the discipline produces git-friendly secret management.
Per-value encryption.: SOPS encrypts values, not the entire file. Keys, comments, structure all stay visible; the diff in git is meaningful.
Multi-key support.: Multiple KMS keys can encrypt the same file. Different teams have different keys; the discipline supports access control.

SOPS usage is bounded. The team's investment produces git-friendly secret management.

Decrypt

Decryption requires KMS access. CI pipelines that need the secrets decrypt them; the discipline is access-controlled.

sops decrypt file.enc.yaml decrypts in place.: The command decrypts the file. The plaintext is produced; the team can read or use it.
CI uses KMS access to decrypt.: CI pipelines have IAM roles with KMS access. The pipeline decrypts secrets at deploy time; the discipline produces working applications.
Local development decrypts too.: Engineers with KMS access can decrypt locally. The discipline supports local development; the access is per-engineer.
Decryption is logged.: KMS access is logged. The team's audit trail captures who decrypted what when; the discipline produces accountability.
Per-key access controls.: Different KMS keys have different access. The discipline matches the team's access model; not everyone can decrypt everything.

Decryption is the working part. The discipline is access-controlled and audited.

Alternatives

SOPS is one option among several. The discipline picks based on the team's needs and ecosystem.

git-crypt for symmetric.: git-crypt uses symmetric encryption. Simpler than SOPS but less granular; the discipline matches simpler needs.
Vault for runtime secrets.: Vault handles runtime secret access. The discipline differs; SOPS is for git-stored secrets, Vault for application access.
sops fits IaC and config workflows.: The discipline matches infrastructure-as-code patterns. Configuration files with secrets, Terraform variables, Kubernetes manifests all benefit.
Combine for full coverage.: Some teams use SOPS for git-stored config and Vault for runtime secrets. The disciplines complement.
Document the choice.: The team's discipline is documented. New engineers understand which tool to use when; the consistency is preserved.

SOPS for secrets in git is one of those tooling disciplines that pays off in IaC workflows. Nova AI Ops integrates with secret management tools, surfaces patterns, and supports the team's secret discipline.