SOPS
CLI tool for encrypting YAML/JSON/ENV files with KMS, age, or PGP
Secrets ManagementFree (open source)Open Source
How we work:This listing is aggregated from SOPS's official documentation, public pricing pages, community discussions (Reddit, HN, forums), and real user feedback. We do not do hands-on testing. We aggregate and organize what's already out there. Last verified April 2026.
What is SOPS?
SOPS (Secrets OPerationS) is a command-line tool for editing encrypted files. It uses KMS keys (AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, age, or PGP) to encrypt only the values in YAML, JSON, ENV, or INI files — leaving the keys readable so you can diff changes in Git. Originally created at Mozilla and now a CNCF Incubating project, SOPS is a favorite for teams that want encrypted-in-Git secrets without adopting a full operator.
Best for: Infrastructure-as-code teams that want encrypted-in-Git secrets with a simple CLI
Pros
- ✓ Encrypted values + readable keys makes Git review actually work
- ✓ No server or operator to run; pure CLI tool
- ✓ Multi-key support makes sharing with teammates painless
- ✓ Works with almost every KMS; vendor-agnostic
Cons
- ✗ Requires discipline: anyone can commit an unencrypted secret by accident
- ✗ Key management is on you; rotating a compromised key is manual
- ✗ Not a secrets manager; no audit trail of accesses
- ✗ Only encrypts at rest in Git; runtime apps still need a way to decrypt
Key Features
→Encrypts only values, leaves keys readable for diffs
→Supports YAML, JSON, ENV, INI, and binary files
→KMS providers: AWS KMS, GCP KMS, Azure Key Vault, Vault, age, PGP
→Multiple key support per file (team member or automation key)
→Path regex for selective encryption
→Git-friendly: small diffs on encrypted-value changes
→Integrations with Helm (helm-secrets), Terraform, Kustomize
→CLI and Go library usage
→Rotates keys without re-encrypting every file
→CNCF Incubating project
What People Are Saying
Real discussions and resources from the community.
Quick Info
| Pricing | Free (open source) |
| Model | Open Source |
| Founded | 2015 |
| Cloud | No |
| Self-Hosted | Yes |
| Open Source | Yes |
| Rating | 4.5/5 |
Last updated: Apr 23, 2026
SOPS Alternatives
View All AlternativesSealed Secrets
Encrypt Kubernetes secrets into a format safe to store in Gi...External Secrets Operator
K8s operator that syncs secrets from external stores into Ku...HashiCorp Vault
Industry-standard open-source secrets management platform...Doppler
Developer-first universal secrets management platform...
Encrypt Kubernetes secrets into a format safe to store in Gi...External Secrets Operator
K8s operator that syncs secrets from external stores into Ku...HashiCorp Vault
Industry-standard open-source secrets management platform...Doppler
Developer-first universal secrets management platform...