Difference between revisions of "Sops --help"

From wikieduonline
Jump to navigation Jump to search
 
(3 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
  [[sops]] --help
 
  [[sops]] --help
<pre>
 
NAME:
 
  sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
 
  
USAGE:
+
NAME:
  sops is an editor of encrypted files that supports AWS KMS and PGP
+
    sops - sops - encrypted file editor with [[AWS KMS]], [[GCP KMS]], [[Azure Key Vault]], [[age]], and [[GPG]] support
  
  To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
+
USAGE:
  in the -k flag or in the SOPS_KMS_ARN environment variable.
+
    sops is an editor of encrypted files that supports AWS KMS and PGP
  (you need valid credentials in ~/.aws/credentials or in your env)
+
 +
    To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
 +
    in the -k flag or in the SOPS_KMS_ARN environment variable.
 +
    (you need valid credentials in ~/.aws/credentials or in your env)
 +
 +
    To encrypt or decrypt a document with GCP KMS, specify the
 +
    GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
 +
    environment variable.
 +
    (you need to setup google application default credentials. See
 +
    https://developers.google.com/identity/protocols/application-default-credentials)
 +
 +
 +
    To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
 +
    Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg.
 +
https://vault.example.org:8200/v1/transit/keys/dev
 +
      where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
 +
    environment variable.
 +
    (you need to enable the Transit Secrets Engine in Vault. See
 +
      https://www.vaultproject.io/docs/secrets/transit/index.html)
 +
 +
    To encrypt or decrypt a document with Azure Key Vault, specify the
 +
    Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
 +
    environment variable.
 +
    (authentication is based on environment variables, see
 +
    https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
 +
    The user/sp needs the key/encrypt and key/decrypt permissions)
 +
 +
    To encrypt or decrypt using age, specify the recipient in the -a flag, or
 +
    in the SOPS_AGE_RECIPIENTS environment variable.
 +
 +
    To encrypt or decrypt using PGP, specify the PGP fingerprint in the
 +
    -p flag or in the SOPS_PGP_FP environment variable.
 +
 +
    To use multiple KMS or PGP keys, separate them by commas. For example:
 +
        $ sops -p "10F2...0A, 85D...B3F21" file.yaml
 +
 +
    The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
 +
    or decrypting existing documents can be done with "sops file" or
 +
    "sops -d file" respectively. The KMS and PGP keys listed in the encrypted
 +
    documents are used then. To manage master keys in existing documents, use
 +
    the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
 +
 +
    To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
 +
 +
    To select a different editor than the default (vim), set EDITOR.
 +
 +
    For more information, see the README at github.com/mozilla/sops
 +
 +
VERSION:
 +
    3.7.3
 +
 +
AUTHORS:
 +
    AJ Bahnken <[email protected]>
 +
    Adrian Utrilla <[email protected]>
 +
    Julien Vehent <[email protected]>
 +
 +
COMMANDS:
 +
      [[sops exec-env|exec-env]]    execute a command with decrypted values inserted into the environment
 +
      [[sops exec-file|exec-file]]  execute a command with the decrypted contents as a temporary file
 +
      [[sops publish|publish]]    Publish sops file or directory to a configured destination
 +
      [[sops keyservice|keyservice]]  start a SOPS key service server
 +
      [[sops groups|groups]]      modify the groups on a SOPS file
 +
      [[sops updatekeys|updatekeys]]  update the keys of a SOPS file using the config file
 +
      [[sops --help]], h    Shows a list of commands or help for one command
 +
 +
GLOBAL OPTIONS:
 +
    --decrypt, -d                            decrypt a file and output the result to stdout
 +
    --encrypt, -e                            encrypt a file and output the result to stdout
 +
    --rotate, -r                            generate a new data encryption key and reencrypt all values with the new key
 +
    --kms value, -k value                    comma separated list of KMS ARNs [$SOPS_KMS_ARN]
 +
    --aws-profile value                      The AWS profile to use for requests to AWS
 +
    --gcp-kms value                          comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
 +
    --azure-kv value                        comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
 +
    --hc-vault-transit value                comma separated list of vault's key URI (e.g.
 +
'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
 +
    --pgp value, -p value                    comma separated list of PGP fingerprints [$SOPS_PGP_FP]
 +
    --age value, -a value                    comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
 +
    --in-place, -i                          write output back to the same file instead of stdout
 +
    --extract value                          extract a specific key or branch from the input document. Decrypt mode only. Example: --
 +
extract '["somekey"][0]'
 +
    --input-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's
 +
extension to determine the type
 +
    --output-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the input
 +
file's extension to determine the output format
 +
    --show-master-keys, -s                  display master encryption keys in the file during editing
 +
    --add-gcp-kms value                      add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys
 +
on the given file
 +
    --rm-gcp-kms value                      remove the provided comma-separated list of GCP KMS key resource IDs from the list of master
 +
keys on the given file
 +
    --add-azure-kv value                    add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys
 +
on the given file
 +
    --rm-azure-kv value                      remove the provided comma-separated list of Azure Key Vault key URLs from the list of master
 +
keys on the given file
 +
    --add-kms value                          add the provided comma-separated list of KMS ARNs to the list of master keys on the given
 +
file
 +
    --rm-kms value                          remove the provided comma-separated list of KMS ARNs from the list of master keys on the
 +
given file
 +
    --add-hc-vault-transit value            add the provided comma-separated list of Vault's URI key to the list of master keys on the
 +
given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
 +
    --rm-hc-vault-transit value              remove the provided comma-separated list of Vault's URI key from the list of master keys on
 +
the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
 +
    --add-age value                          add the provided comma-separated list of age recipients fingerprints to the list of master
 +
keys on the given file
 +
    --rm-age value                          remove the provided comma-separated list of age recipients from the list of master keys on
 +
the given file
 +
    --add-pgp value                          add the provided comma-separated list of PGP fingerprints to the list of master keys on the
 +
given file
 +
    --rm-pgp value                          remove the provided comma-separated list of PGP fingerprints from the list of master keys on
 +
the given file
 +
    --ignore-mac                            ignore Message Authentication Code during decryption
 +
    --unencrypted-suffix value              override the unencrypted key suffix.
 +
    --encrypted-suffix value                override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise
 +
marked with unencrypted-suffix.
 +
    --unencrypted-regex value                set the unencrypted key suffix. When specified, only keys matching the regex will be left
 +
unencrypted.
 +
    --encrypted-regex value                  set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
 +
    --config value                          path to sops' config file. If set, sops will not search for the config file recursively.
 +
    --encryption-context value              comma separated list of KMS encryption context key:value pairs
 +
    --set value                              set a specific key or branch in the input document. value must be a json encoded string.
 +
(edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
 +
    --shamir-secret-sharing-threshold value  the number of master keys required to retrieve the data key with [[shamir]] (default: 0)
 +
    --verbose                                Enable verbose logging output
 +
    --output value                          Save the output after encryption or decryption to the file specified
 +
    --enable-local-keyservice                use local key service
 +
    --keyservice value                      Specify the key services to use in addition to the local one. Can be specified more than
 +
once. Syntax: protocol://address. Example: tcp://myserver.com:5000
 +
    --help, -h                              show help
 +
    --version, -v                            print the version
  
  To encrypt or decrypt a document with GCP KMS, specify the
 
  GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
 
  environment variable.
 
  (you need to setup google application default credentials. See
 
    https://developers.google.com/identity/protocols/application-default-credentials)
 
 
 
  To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
 
  Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev
 
      where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
 
  environment variable.
 
  (you need to enable the Transit Secrets Engine in Vault. See
 
      https://www.vaultproject.io/docs/secrets/transit/index.html)
 
 
  To encrypt or decrypt a document with Azure Key Vault, specify the
 
  Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
 
  environment variable.
 
  (authentication is based on environment variables, see
 
    https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
 
    The user/sp needs the key/encrypt and key/decrypt permissions)
 
 
  To encrypt or decrypt using age, specify the recipient in the -a flag, or
 
  in the SOPS_AGE_RECIPIENTS environment variable.
 
 
  To encrypt or decrypt using PGP, specify the PGP fingerprint in the
 
  -p flag or in the SOPS_PGP_FP environment variable.
 
 
  To use multiple KMS or PGP keys, separate them by commas. For example:
 
      $ sops -p "10F2...0A, 85D...B3F21" file.yaml
 
 
  The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
 
  or decrypting existing documents can be done with "sops file" or
 
  "sops -d file" respectively. The KMS and PGP keys listed in the encrypted
 
  documents are used then. To manage master keys in existing documents, use
 
  the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
 
 
  To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
 
 
  To select a different editor than the default (vim), set EDITOR.
 
 
  For more information, see the README at github.com/mozilla/sops
 
 
VERSION:
 
  3.7.3
 
 
AUTHORS:
 
  AJ Bahnken <[email protected]>
 
  Adrian Utrilla <[email protected]>
 
  Julien Vehent <[email protected]>
 
 
COMMANDS:
 
    exec-env    execute a command with decrypted values inserted into the environment
 
    exec-file  execute a command with the decrypted contents as a temporary file
 
    publish    Publish sops file or directory to a configured destination
 
    keyservice  start a SOPS key service server
 
    groups      modify the groups on a SOPS file
 
    updatekeys  update the keys of a SOPS file using the config file
 
    help, h    Shows a list of commands or help for one command
 
 
GLOBAL OPTIONS:
 
  --decrypt, -d                            decrypt a file and output the result to stdout
 
  --encrypt, -e                            encrypt a file and output the result to stdout
 
  --rotate, -r                            generate a new data encryption key and reencrypt all values with the new key
 
  --kms value, -k value                    comma separated list of KMS ARNs [$SOPS_KMS_ARN]
 
  --aws-profile value                      The AWS profile to use for requests to AWS
 
  --gcp-kms value                          comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
 
  --azure-kv value                        comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
 
  --hc-vault-transit value                comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
 
  --pgp value, -p value                    comma separated list of PGP fingerprints [$SOPS_PGP_FP]
 
  --age value, -a value                    comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
 
  --in-place, -i                          write output back to the same file instead of stdout
 
  --extract value                          extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '["somekey"][0]'
 
  --input-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type
 
  --output-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format
 
  --show-master-keys, -s                  display master encryption keys in the file during editing
 
  --add-gcp-kms value                      add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file
 
  --rm-gcp-kms value                      remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file
 
  --add-azure-kv value                    add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file
 
  --rm-azure-kv value                      remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file
 
  --add-kms value                          add the provided comma-separated list of KMS ARNs to the list of master keys on the given file
 
  --rm-kms value                          remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file
 
  --add-hc-vault-transit value            add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
 
  --rm-hc-vault-transit value              remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
 
  --add-age value                          add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file
 
  --rm-age value                          remove the provided comma-separated list of age recipients from the list of master keys on the given file
 
  --add-pgp value                          add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file
 
  --rm-pgp value                          remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file
 
  --ignore-mac                            ignore Message Authentication Code during decryption
 
  --unencrypted-suffix value              override the unencrypted key suffix.
 
  --encrypted-suffix value                override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.
 
  --unencrypted-regex value                set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.
 
  --encrypted-regex value                  set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
 
  --config value                          path to sops' config file. If set, sops will not search for the config file recursively.
 
  --encryption-context value              comma separated list of KMS encryption context key:value pairs
 
  --set value                              set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
 
  --shamir-secret-sharing-threshold value  the number of master keys required to retrieve the data key with shamir (default: 0)
 
  --verbose                                Enable verbose logging output
 
  --output value                          Save the output after encryption or decryption to the file specified
 
  --enable-local-keyservice                use local key service
 
  --keyservice value                      Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000
 
  --help, -h                              show help
 
  --version, -v                            print the version
 
</pre>
 
  
  

Latest revision as of 17:52, 30 November 2022

sops --help
NAME:
   sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
USAGE:
   sops is an editor of encrypted files that supports AWS KMS and PGP

   To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
   in the -k flag or in the SOPS_KMS_ARN environment variable.
   (you need valid credentials in ~/.aws/credentials or in your env)

   To encrypt or decrypt a document with GCP KMS, specify the
   GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
   environment variable.
   (you need to setup google application default credentials. See
    https://developers.google.com/identity/protocols/application-default-credentials)


   To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
   Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. 
https://vault.example.org:8200/v1/transit/keys/dev
      where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
   environment variable.
   (you need to enable the Transit Secrets Engine in Vault. See
      https://www.vaultproject.io/docs/secrets/transit/index.html)

   To encrypt or decrypt a document with Azure Key Vault, specify the
   Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
   environment variable.
   (authentication is based on environment variables, see
    https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
    The user/sp needs the key/encrypt and key/decrypt permissions)

   To encrypt or decrypt using age, specify the recipient in the -a flag, or
   in the SOPS_AGE_RECIPIENTS environment variable.

   To encrypt or decrypt using PGP, specify the PGP fingerprint in the
   -p flag or in the SOPS_PGP_FP environment variable.

   To use multiple KMS or PGP keys, separate them by commas. For example:
       $ sops -p "10F2...0A, 85D...B3F21" file.yaml

   The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
   or decrypting existing documents can be done with "sops file" or
   "sops -d file" respectively. The KMS and PGP keys listed in the encrypted
   documents are used then. To manage master keys in existing documents, use
   the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.

   To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.

   To select a different editor than the default (vim), set EDITOR.

   For more information, see the README at github.com/mozilla/sops

VERSION:
   3.7.3

AUTHORS:
   AJ Bahnken <[email protected]>
   Adrian Utrilla <[email protected]>
   Julien Vehent <[email protected]>

COMMANDS:
      exec-env    execute a command with decrypted values inserted into the environment
      exec-file   execute a command with the decrypted contents as a temporary file
      publish     Publish sops file or directory to a configured destination
      keyservice  start a SOPS key service server
      groups      modify the groups on a SOPS file
      updatekeys  update the keys of a SOPS file using the config file
      sops --help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --decrypt, -d                            decrypt a file and output the result to stdout
   --encrypt, -e                            encrypt a file and output the result to stdout
   --rotate, -r                             generate a new data encryption key and reencrypt all values with the new key
   --kms value, -k value                    comma separated list of KMS ARNs [$SOPS_KMS_ARN]
   --aws-profile value                      The AWS profile to use for requests to AWS
   --gcp-kms value                          comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
   --azure-kv value                         comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
   --hc-vault-transit value                 comma separated list of vault's key URI (e.g. 
'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
   --pgp value, -p value                    comma separated list of PGP fingerprints [$SOPS_PGP_FP]
   --age value, -a value                    comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
   --in-place, -i                           write output back to the same file instead of stdout
   --extract value                          extract a specific key or branch from the input document. Decrypt mode only. Example: -- 
extract '["somekey"][0]'
   --input-type value                       currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's 
extension to determine the type
   --output-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the input 
file's extension to determine the output format
   --show-master-keys, -s                   display master encryption keys in the file during editing
   --add-gcp-kms value                      add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys 
on the given file
   --rm-gcp-kms value                       remove the provided comma-separated list of GCP KMS key resource IDs from the list of master 
keys on the given file
   --add-azure-kv value                     add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys 
on the given file
   --rm-azure-kv value                      remove the provided comma-separated list of Azure Key Vault key URLs from the list of master 
keys on the given file
   --add-kms value                          add the provided comma-separated list of KMS ARNs to the list of master keys on the given 
file
   --rm-kms value                           remove the provided comma-separated list of KMS ARNs from the list of master keys on the 
given file
   --add-hc-vault-transit value             add the provided comma-separated list of Vault's URI key to the list of master keys on the 
given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --rm-hc-vault-transit value              remove the provided comma-separated list of Vault's URI key from the list of master keys on 
the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --add-age value                          add the provided comma-separated list of age recipients fingerprints to the list of master 
keys on the given file
   --rm-age value                           remove the provided comma-separated list of age recipients from the list of master keys on 
the given file
   --add-pgp value                          add the provided comma-separated list of PGP fingerprints to the list of master keys on the 
given file
   --rm-pgp value                           remove the provided comma-separated list of PGP fingerprints from the list of master keys on 
the given file
   --ignore-mac                             ignore Message Authentication Code during decryption
   --unencrypted-suffix value               override the unencrypted key suffix.
   --encrypted-suffix value                 override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise 
marked with unencrypted-suffix.
   --unencrypted-regex value                set the unencrypted key suffix. When specified, only keys matching the regex will be left 
unencrypted.
   --encrypted-regex value                  set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
   --config value                           path to sops' config file. If set, sops will not search for the config file recursively.
   --encryption-context value               comma separated list of KMS encryption context key:value pairs
   --set value                              set a specific key or branch in the input document. value must be a json encoded string. 
(edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
   --shamir-secret-sharing-threshold value  the number of master keys required to retrieve the data key with shamir (default: 0)
   --verbose                                Enable verbose logging output
   --output value                           Save the output after encryption or decryption to the file specified
   --enable-local-keyservice                use local key service
   --keyservice value                       Specify the key services to use in addition to the local one. Can be specified more than 
once. Syntax: protocol://address. Example: tcp://myserver.com:5000
   --help, -h                               show help
   --version, -v                            print the version


See also[edit]

Advertising: