Difference between revisions of "Sops --help"
Jump to navigation
Jump to search
| Line 5: | Line 5: | ||
NAME: | NAME: | ||
sops - sops - encrypted file editor with [[AWS KMS]], [[GCP KMS]], [[Azure Key Vault]], [[age]], and [[GPG]] support | sops - sops - encrypted file editor with [[AWS KMS]], [[GCP KMS]], [[Azure Key Vault]], [[age]], and [[GPG]] support | ||
| − | |||
| − | |||
| − | |||
| − | + | USAGE: | |
| − | + | sops is an editor of encrypted files that supports AWS KMS and PGP | |
| − | + | ||
| + | To encrypt or decrypt a document with AWS KMS, specify the KMS ARN | ||
| + | in the -k flag or in the SOPS_KMS_ARN environment variable. | ||
| + | (you need valid credentials in ~/.aws/credentials or in your env) | ||
| + | |||
| + | To encrypt or decrypt a document with GCP KMS, specify the | ||
| + | GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS | ||
| + | environment variable. | ||
| + | (you need to setup google application default credentials. See | ||
| + | https://developers.google.com/identity/protocols/application-default-credentials) | ||
| + | |||
| + | |||
| + | To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the | ||
| + | Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. | ||
| + | https://vault.example.org:8200/v1/transit/keys/dev | ||
| + | where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key ) | ||
| + | environment variable. | ||
| + | (you need to enable the Transit Secrets Engine in Vault. See | ||
| + | https://www.vaultproject.io/docs/secrets/transit/index.html) | ||
| + | |||
| + | To encrypt or decrypt a document with Azure Key Vault, specify the | ||
| + | Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL | ||
| + | environment variable. | ||
| + | (authentication is based on environment variables, see | ||
| + | https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication. | ||
| + | The user/sp needs the key/encrypt and key/decrypt permissions) | ||
| + | |||
| + | To encrypt or decrypt using age, specify the recipient in the -a flag, or | ||
| + | in the SOPS_AGE_RECIPIENTS environment variable. | ||
| + | |||
| + | To encrypt or decrypt using PGP, specify the PGP fingerprint in the | ||
| + | -p flag or in the SOPS_PGP_FP environment variable. | ||
| + | |||
| + | To use multiple KMS or PGP keys, separate them by commas. For example: | ||
| + | $ sops -p "10F2...0A, 85D...B3F21" file.yaml | ||
| + | |||
| + | The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing | ||
| + | or decrypting existing documents can be done with "sops file" or | ||
| + | "sops -d file" respectively. The KMS and PGP keys listed in the encrypted | ||
| + | documents are used then. To manage master keys in existing documents, use | ||
| + | the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags. | ||
| + | |||
| + | To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC. | ||
| + | |||
| + | To select a different editor than the default (vim), set EDITOR. | ||
| + | |||
| + | For more information, see the README at github.com/mozilla/sops | ||
| + | |||
| + | VERSION: | ||
| + | 3.7.3 | ||
| + | |||
| + | AUTHORS: | ||
| + | AJ Bahnken <[email protected]> | ||
| + | Adrian Utrilla <[email protected]> | ||
| + | Julien Vehent <[email protected]> | ||
| + | |||
| + | COMMANDS: | ||
| + | [[sops exec-env|exec-env]] execute a command with decrypted values inserted into the environment | ||
| + | [[sops exec-file|exec-file]] execute a command with the decrypted contents as a temporary file | ||
| + | [[sops publish|publish]] Publish sops file or directory to a configured destination | ||
| + | [[sops keyservice|keyservice]] start a SOPS key service server | ||
| + | [[sops groups|groups]] modify the groups on a SOPS file | ||
| + | [[sops updatekeys|updatekeys]] update the keys of a SOPS file using the config file | ||
| + | [[sops --help]], h Shows a list of commands or help for one command | ||
| + | |||
| + | GLOBAL OPTIONS: | ||
| + | --decrypt, -d decrypt a file and output the result to stdout | ||
| + | --encrypt, -e encrypt a file and output the result to stdout | ||
| + | --rotate, -r generate a new data encryption key and reencrypt all values with the new key | ||
| + | --kms value, -k value comma separated list of KMS ARNs [$SOPS_KMS_ARN] | ||
| + | --aws-profile value The AWS profile to use for requests to AWS | ||
| + | --gcp-kms value comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS] | ||
| + | --azure-kv value comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS] | ||
| + | --hc-vault-transit value comma separated list of vault's key URI (e.g. | ||
| + | 'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS] | ||
| + | --pgp value, -p value comma separated list of PGP fingerprints [$SOPS_PGP_FP] | ||
| + | --age value, -a value comma separated list of age recipients [$SOPS_AGE_RECIPIENTS] | ||
| + | --in-place, -i write output back to the same file instead of stdout | ||
| + | --extract value extract a specific key or branch from the input document. Decrypt mode only. Example: -- | ||
| + | extract '["somekey"][0]' | ||
| + | --input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's | ||
| + | extension to determine the type | ||
| + | --output-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the input | ||
| + | file's extension to determine the output format | ||
| + | --show-master-keys, -s display master encryption keys in the file during editing | ||
| + | --add-gcp-kms value add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys | ||
| + | on the given file | ||
| + | --rm-gcp-kms value remove the provided comma-separated list of GCP KMS key resource IDs from the list of master | ||
| + | keys on the given file | ||
| + | --add-azure-kv value add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys | ||
| + | on the given file | ||
| + | --rm-azure-kv value remove the provided comma-separated list of Azure Key Vault key URLs from the list of master | ||
| + | keys on the given file | ||
| + | --add-kms value add the provided comma-separated list of KMS ARNs to the list of master keys on the given | ||
| + | file | ||
| + | --rm-kms value remove the provided comma-separated list of KMS ARNs from the list of master keys on the | ||
| + | given file | ||
| + | --add-hc-vault-transit value add the provided comma-separated list of Vault's URI key to the list of master keys on the | ||
| + | given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev) | ||
| + | --rm-hc-vault-transit value remove the provided comma-separated list of Vault's URI key from the list of master keys on | ||
| + | the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev) | ||
| + | --add-age value add the provided comma-separated list of age recipients fingerprints to the list of master | ||
| + | keys on the given file | ||
| + | --rm-age value remove the provided comma-separated list of age recipients from the list of master keys on | ||
| + | the given file | ||
| + | --add-pgp value add the provided comma-separated list of PGP fingerprints to the list of master keys on the | ||
| + | given file | ||
| + | --rm-pgp value remove the provided comma-separated list of PGP fingerprints from the list of master keys on | ||
| + | the given file | ||
| + | --ignore-mac ignore Message Authentication Code during decryption | ||
| + | --unencrypted-suffix value override the unencrypted key suffix. | ||
| + | --encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise | ||
| + | marked with unencrypted-suffix. | ||
| + | --unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left | ||
| + | unencrypted. | ||
| + | --encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted. | ||
| + | --config value path to sops' config file. If set, sops will not search for the config file recursively. | ||
| + | --encryption-context value comma separated list of KMS encryption context key:value pairs | ||
| + | --set value set a specific key or branch in the input document. value must be a json encoded string. | ||
| + | (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}' | ||
| + | --shamir-secret-sharing-threshold value the number of master keys required to retrieve the data key with shamir (default: 0) | ||
| + | --verbose Enable verbose logging output | ||
| + | --output value Save the output after encryption or decryption to the file specified | ||
| + | --enable-local-keyservice use local key service | ||
| + | --keyservice value Specify the key services to use in addition to the local one. Can be specified more than | ||
| + | once. Syntax: protocol://address. Example: tcp://myserver.com:5000 | ||
| + | --help, -h show help | ||
| + | --version, -v print the version | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 11:14, 6 October 2022
sops --help
NAME: sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
USAGE:
sops is an editor of encrypted files that supports AWS KMS and PGP
To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
in the -k flag or in the SOPS_KMS_ARN environment variable.
(you need valid credentials in ~/.aws/credentials or in your env)
To encrypt or decrypt a document with GCP KMS, specify the
GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
environment variable.
(you need to setup google application default credentials. See
https://developers.google.com/identity/protocols/application-default-credentials)
To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg.
https://vault.example.org:8200/v1/transit/keys/dev
where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
environment variable.
(you need to enable the Transit Secrets Engine in Vault. See
https://www.vaultproject.io/docs/secrets/transit/index.html)
To encrypt or decrypt a document with Azure Key Vault, specify the
Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
environment variable.
(authentication is based on environment variables, see
https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
The user/sp needs the key/encrypt and key/decrypt permissions)
To encrypt or decrypt using age, specify the recipient in the -a flag, or
in the SOPS_AGE_RECIPIENTS environment variable.
To encrypt or decrypt using PGP, specify the PGP fingerprint in the
-p flag or in the SOPS_PGP_FP environment variable.
To use multiple KMS or PGP keys, separate them by commas. For example:
$ sops -p "10F2...0A, 85D...B3F21" file.yaml
The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
or decrypting existing documents can be done with "sops file" or
"sops -d file" respectively. The KMS and PGP keys listed in the encrypted
documents are used then. To manage master keys in existing documents, use
the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.
To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
To select a different editor than the default (vim), set EDITOR.
For more information, see the README at github.com/mozilla/sops
VERSION:
3.7.3
AUTHORS:
AJ Bahnken <[email protected]>
Adrian Utrilla <[email protected]>
Julien Vehent <[email protected]>
COMMANDS:
exec-env execute a command with decrypted values inserted into the environment
exec-file execute a command with the decrypted contents as a temporary file
publish Publish sops file or directory to a configured destination
keyservice start a SOPS key service server
groups modify the groups on a SOPS file
updatekeys update the keys of a SOPS file using the config file
sops --help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--decrypt, -d decrypt a file and output the result to stdout
--encrypt, -e encrypt a file and output the result to stdout
--rotate, -r generate a new data encryption key and reencrypt all values with the new key
--kms value, -k value comma separated list of KMS ARNs [$SOPS_KMS_ARN]
--aws-profile value The AWS profile to use for requests to AWS
--gcp-kms value comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
--azure-kv value comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
--hc-vault-transit value comma separated list of vault's key URI (e.g.
'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
--pgp value, -p value comma separated list of PGP fingerprints [$SOPS_PGP_FP]
--age value, -a value comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
--in-place, -i write output back to the same file instead of stdout
--extract value extract a specific key or branch from the input document. Decrypt mode only. Example: --
extract '["somekey"][0]'
--input-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's
extension to determine the type
--output-type value currently json, yaml, dotenv and binary are supported. If not set, sops will use the input
file's extension to determine the output format
--show-master-keys, -s display master encryption keys in the file during editing
--add-gcp-kms value add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys
on the given file
--rm-gcp-kms value remove the provided comma-separated list of GCP KMS key resource IDs from the list of master
keys on the given file
--add-azure-kv value add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys
on the given file
--rm-azure-kv value remove the provided comma-separated list of Azure Key Vault key URLs from the list of master
keys on the given file
--add-kms value add the provided comma-separated list of KMS ARNs to the list of master keys on the given
file
--rm-kms value remove the provided comma-separated list of KMS ARNs from the list of master keys on the
given file
--add-hc-vault-transit value add the provided comma-separated list of Vault's URI key to the list of master keys on the
given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--rm-hc-vault-transit value remove the provided comma-separated list of Vault's URI key from the list of master keys on
the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
--add-age value add the provided comma-separated list of age recipients fingerprints to the list of master
keys on the given file
--rm-age value remove the provided comma-separated list of age recipients from the list of master keys on
the given file
--add-pgp value add the provided comma-separated list of PGP fingerprints to the list of master keys on the
given file
--rm-pgp value remove the provided comma-separated list of PGP fingerprints from the list of master keys on
the given file
--ignore-mac ignore Message Authentication Code during decryption
--unencrypted-suffix value override the unencrypted key suffix.
--encrypted-suffix value override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise
marked with unencrypted-suffix.
--unencrypted-regex value set the unencrypted key suffix. When specified, only keys matching the regex will be left
unencrypted.
--encrypted-regex value set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
--config value path to sops' config file. If set, sops will not search for the config file recursively.
--encryption-context value comma separated list of KMS encryption context key:value pairs
--set value set a specific key or branch in the input document. value must be a json encoded string.
(edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
--shamir-secret-sharing-threshold value the number of master keys required to retrieve the data key with shamir (default: 0)
--verbose Enable verbose logging output
--output value Save the output after encryption or decryption to the file specified
--enable-local-keyservice use local key service
--keyservice value Specify the key services to use in addition to the local one. Can be specified more than
once. Syntax: protocol://address. Example: tcp://myserver.com:5000
--help, -h show help
--version, -v print the version
See also
- SOPS,
sops | sops -d | sops -e | sops exec-env | sops exec-file | sops publish | sops keyservice | sops groups | sops updatekeys | sops --help - Secrets: Kubernetes secrets,
ansible-vault, Hashicorp Vault, AWS Secrets Manager, Google Secret Manager,git-crypt, SOPS: Secrets OPerationS, Google Cloud Secret Manager, GitHub secret scanning alerts
Advertising:
