Difference between revisions of "Sops --help"
Jump to navigation
Jump to search
Line 64: | Line 64: | ||
COMMANDS: | COMMANDS: | ||
− | + | [[sops exec-env|exec-env]] execute a command with decrypted values inserted into the environment | |
− | + | [[sops exec-file|exec-file]] execute a command with the decrypted contents as a temporary file | |
− | + | [[sops publish|publish]] Publish sops file or directory to a configured destination | |
− | + | [[sops keyservice|keyservice]] start a SOPS key service server | |
− | + | [[sops groups|groups]] modify the groups on a SOPS file | |
− | + | [[sops updatekeys|updatekeys]] update the keys of a SOPS file using the config file | |
− | + | [[sops --help]], h Shows a list of commands or help for one command | |
GLOBAL OPTIONS: | GLOBAL OPTIONS: |
Revision as of 11:10, 6 October 2022
sops --help
NAME: sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
USAGE: sops is an editor of encrypted files that supports AWS KMS and PGP To encrypt or decrypt a document with AWS KMS, specify the KMS ARN in the -k flag or in the SOPS_KMS_ARN environment variable. (you need valid credentials in ~/.aws/credentials or in your env) To encrypt or decrypt a document with GCP KMS, specify the GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS environment variable. (you need to setup google application default credentials. See https://developers.google.com/identity/protocols/application-default-credentials) To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key ) environment variable. (you need to enable the Transit Secrets Engine in Vault. See https://www.vaultproject.io/docs/secrets/transit/index.html) To encrypt or decrypt a document with Azure Key Vault, specify the Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL environment variable. (authentication is based on environment variables, see https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication. The user/sp needs the key/encrypt and key/decrypt permissions) To encrypt or decrypt using age, specify the recipient in the -a flag, or in the SOPS_AGE_RECIPIENTS environment variable. To encrypt or decrypt using PGP, specify the PGP fingerprint in the -p flag or in the SOPS_PGP_FP environment variable. To use multiple KMS or PGP keys, separate them by commas. For example: $ sops -p "10F2...0A, 85D...B3F21" file.yaml The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing or decrypting existing documents can be done with "sops file" or "sops -d file" respectively. The KMS and PGP keys listed in the encrypted documents are used then. To manage master keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags. To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC. To select a different editor than the default (vim), set EDITOR. For more information, see the README at github.com/mozilla/sops VERSION: 3.7.3 AUTHORS: AJ Bahnken <[email protected]> Adrian Utrilla <[email protected]> Julien Vehent <[email protected]> COMMANDS: [[sops exec-env|exec-env]] execute a command with decrypted values inserted into the environment [[sops exec-file|exec-file]] execute a command with the decrypted contents as a temporary file [[sops publish|publish]] Publish sops file or directory to a configured destination [[sops keyservice|keyservice]] start a SOPS key service server [[sops groups|groups]] modify the groups on a SOPS file [[sops updatekeys|updatekeys]] update the keys of a SOPS file using the config file [[sops --help]], h Shows a list of commands or help for one command GLOBAL OPTIONS: --decrypt, -d decrypt a file and output the result to stdout --encrypt, -e encrypt a file and output the result to stdout --rotate, -r generate a new data encryption key and reencrypt all values with the new key --kms value, -k value comma separated list of KMS ARNs [$SOPS_KMS_ARN] --aws-profile value The AWS profile to use for requests to AWS --gcp-kms value comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS] --azure-kv value comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS] --hc-vault-transit value comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS] --pgp value, -p value comma separated list of PGP fingerprints [$SOPS_PGP_FP] --age value, -a value comma separated list of age recipients [$SOPS_AGE_RECIPIENTS] --in-place, -i write output back to the same file instead of stdout --extract value extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '["somekey"][0]' --input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type --output-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format --show-master-keys, -s display master encryption keys in the file during editing --add-gcp-kms value add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file --rm-gcp-kms value remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file --add-azure-kv value add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file --rm-azure-kv value remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file --add-kms value add the provided comma-separated list of KMS ARNs to the list of master keys on the given file --rm-kms value remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file --add-hc-vault-transit value add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev) --rm-hc-vault-transit value remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev) --add-age value add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file --rm-age value remove the provided comma-separated list of age recipients from the list of master keys on the given file --add-pgp value add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file --rm-pgp value remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file --ignore-mac ignore Message Authentication Code during decryption --unencrypted-suffix value override the unencrypted key suffix. --encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix. --unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted. --encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted. --config value path to sops' config file. If set, sops will not search for the config file recursively. --encryption-context value comma separated list of KMS encryption context key:value pairs --set value set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}' --shamir-secret-sharing-threshold value the number of master keys required to retrieve the data key with shamir (default: 0) --verbose Enable verbose logging output --output value Save the output after encryption or decryption to the file specified --enable-local-keyservice use local key service --keyservice value Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000 --help, -h show help --version, -v print the version
See also
- SOPS,
sops | sops -d | sops -e | sops exec-env | sops exec-file | sops publish | sops keyservice | sops groups | sops updatekeys | sops --help
- Secrets: Kubernetes secrets,
ansible-vault
, Hashicorp Vault, AWS Secrets Manager, Google Secret Manager,git-crypt
, SOPS: Secrets OPerationS, Google Cloud Secret Manager, GitHub secret scanning alerts
Advertising: