SOPS enables secure secret storage in version control by encrypting values while keeping keys readable. Understanding key providers, creation rules, and envelope encryption is essential for GitOps secret management.
0 / 5 completed
1 / 5
What does SOPS (Secrets OPerationS) do to a YAML/JSON file containing secrets?
SOPS encrypts only the values in structured files (YAML/JSON/ENV/INI), leaving keys visible. This means diffs in git show which secrets changed (by key name) without revealing values. The file can be committed to version control safely — a core requirement for GitOps secret management workflows.
2 / 5
A developer runs sops --encrypt --age age1xyz... secrets.yaml > secrets.enc.yaml. What is age in this context?
age is a simple, modern file encryption tool (successor to GPG for many use cases) that SOPS supports as a key provider. It uses X25519 key exchange. The recipient's public key is specified with --age; decryption requires the corresponding private key. Age is preferred over GPG for its simplicity and modern cryptography.
3 / 5
A team configures .sops.yaml at the repository root. What is the purpose of this file?
.sops.yaml defines creation rules that map file path patterns to key providers. For example: path_regex: secrets/prod/.* → AWS KMS key; path_regex: secrets/dev/.* → age key. When running sops -e, SOPS auto-selects the correct keys based on the file path, eliminating the need to specify keys on every command.
4 / 5
How does SOPS enable key rotation without re-encrypting the plaintext data directly?
SOPS uses envelope encryption: plaintext is encrypted with a random Data Encryption Key (DEK), and the DEK itself is encrypted with each key provider. Key rotation only requires re-encrypting the DEK (a small operation), not all the data. The sops updatekeys command re-encrypts DEKs for new key providers.
5 / 5
A GitOps operator needs to decrypt SOPS secrets in a Kubernetes cluster without storing private keys in the cluster. Which tool is designed for this use case?
Flux CD has native SOPS integration: you store the age or GPG private key in a Kubernetes Secret, and Flux automatically decrypts SOPS-encrypted manifests before applying them. The private key lives in a cluster Secret (with RBAC restrictions) rather than in the git repository, balancing security with operational simplicity.