sops --help

From wikieduonline
Jump to navigation Jump to search

sops --help
NAME:
   sops - sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support
USAGE:
   sops is an editor of encrypted files that supports AWS KMS and PGP

   To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
   in the -k flag or in the SOPS_KMS_ARN environment variable.
   (you need valid credentials in ~/.aws/credentials or in your env)

   To encrypt or decrypt a document with GCP KMS, specify the
   GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS
   environment variable.
   (you need to setup google application default credentials. See
    https://developers.google.com/identity/protocols/application-default-credentials)


   To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the
   Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. 
https://vault.example.org:8200/v1/transit/keys/dev
      where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key )
   environment variable.
   (you need to enable the Transit Secrets Engine in Vault. See
      https://www.vaultproject.io/docs/secrets/transit/index.html)

   To encrypt or decrypt a document with Azure Key Vault, specify the
   Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL
   environment variable.
   (authentication is based on environment variables, see
    https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
    The user/sp needs the key/encrypt and key/decrypt permissions)

   To encrypt or decrypt using age, specify the recipient in the -a flag, or
   in the SOPS_AGE_RECIPIENTS environment variable.

   To encrypt or decrypt using PGP, specify the PGP fingerprint in the
   -p flag or in the SOPS_PGP_FP environment variable.

   To use multiple KMS or PGP keys, separate them by commas. For example:
       $ sops -p "10F2...0A, 85D...B3F21" file.yaml

   The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing
   or decrypting existing documents can be done with "sops file" or
   "sops -d file" respectively. The KMS and PGP keys listed in the encrypted
   documents are used then. To manage master keys in existing documents, use
   the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags.

   To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.

   To select a different editor than the default (vim), set EDITOR.

   For more information, see the README at github.com/mozilla/sops

VERSION:
   3.7.3

AUTHORS:
   AJ Bahnken <[email protected]>
   Adrian Utrilla <[email protected]>
   Julien Vehent <[email protected]>

COMMANDS:
      exec-env    execute a command with decrypted values inserted into the environment
      exec-file   execute a command with the decrypted contents as a temporary file
      publish     Publish sops file or directory to a configured destination
      keyservice  start a SOPS key service server
      groups      modify the groups on a SOPS file
      updatekeys  update the keys of a SOPS file using the config file
      sops --help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --decrypt, -d                            decrypt a file and output the result to stdout
   --encrypt, -e                            encrypt a file and output the result to stdout
   --rotate, -r                             generate a new data encryption key and reencrypt all values with the new key
   --kms value, -k value                    comma separated list of KMS ARNs [$SOPS_KMS_ARN]
   --aws-profile value                      The AWS profile to use for requests to AWS
   --gcp-kms value                          comma separated list of GCP KMS resource IDs [$SOPS_GCP_KMS_IDS]
   --azure-kv value                         comma separated list of Azure Key Vault URLs [$SOPS_AZURE_KEYVAULT_URLS]
   --hc-vault-transit value                 comma separated list of vault's key URI (e.g. 
'https://vault.example.org:8200/v1/transit/keys/dev') [$SOPS_VAULT_URIS]
   --pgp value, -p value                    comma separated list of PGP fingerprints [$SOPS_PGP_FP]
   --age value, -a value                    comma separated list of age recipients [$SOPS_AGE_RECIPIENTS]
   --in-place, -i                           write output back to the same file instead of stdout
   --extract value                          extract a specific key or branch from the input document. Decrypt mode only. Example: -- 
extract '["somekey"][0]'
   --input-type value                       currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's 
extension to determine the type
   --output-type value                      currently json, yaml, dotenv and binary are supported. If not set, sops will use the input 
file's extension to determine the output format
   --show-master-keys, -s                   display master encryption keys in the file during editing
   --add-gcp-kms value                      add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys 
on the given file
   --rm-gcp-kms value                       remove the provided comma-separated list of GCP KMS key resource IDs from the list of master 
keys on the given file
   --add-azure-kv value                     add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys 
on the given file
   --rm-azure-kv value                      remove the provided comma-separated list of Azure Key Vault key URLs from the list of master 
keys on the given file
   --add-kms value                          add the provided comma-separated list of KMS ARNs to the list of master keys on the given 
file
   --rm-kms value                           remove the provided comma-separated list of KMS ARNs from the list of master keys on the 
given file
   --add-hc-vault-transit value             add the provided comma-separated list of Vault's URI key to the list of master keys on the 
given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --rm-hc-vault-transit value              remove the provided comma-separated list of Vault's URI key from the list of master keys on 
the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)
   --add-age value                          add the provided comma-separated list of age recipients fingerprints to the list of master 
keys on the given file
   --rm-age value                           remove the provided comma-separated list of age recipients from the list of master keys on 
the given file
   --add-pgp value                          add the provided comma-separated list of PGP fingerprints to the list of master keys on the 
given file
   --rm-pgp value                           remove the provided comma-separated list of PGP fingerprints from the list of master keys on 
the given file
   --ignore-mac                             ignore Message Authentication Code during decryption
   --unencrypted-suffix value               override the unencrypted key suffix.
   --encrypted-suffix value                 override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise 
marked with unencrypted-suffix.
   --unencrypted-regex value                set the unencrypted key suffix. When specified, only keys matching the regex will be left 
unencrypted.
   --encrypted-regex value                  set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.
   --config value                           path to sops' config file. If set, sops will not search for the config file recursively.
   --encryption-context value               comma separated list of KMS encryption context key:value pairs
   --set value                              set a specific key or branch in the input document. value must be a json encoded string. 
(edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'
   --shamir-secret-sharing-threshold value  the number of master keys required to retrieve the data key with shamir (default: 0)
   --verbose                                Enable verbose logging output
   --output value                           Save the output after encryption or decryption to the file specified
   --enable-local-keyservice                use local key service
   --keyservice value                       Specify the key services to use in addition to the local one. Can be specified more than 
once. Syntax: protocol://address. Example: tcp://myserver.com:5000
   --help, -h                               show help
   --version, -v                            print the version


See also[edit]

Advertising: