README.org

November 2, 2025 · View on GitHub

sops: SOPS encrypt and decrypt without leaving the editor.

To learn more about Secret OPerationS: [[https://github.com/getsops/sops]]

** Installation

By enabling ~~global-sops-mode~~, ~~sops-mode~~ will try to enable itself automatically when we enter a SOPS encrypted file. When you see that ~~sops~~ is enabled you can use ~~sops-edit-file~~ to decrypt the file. After modifications have been made you can save with ~~sops-save-file~~ or discard modifications with ~~sops-cancel~~. Sops encrypted files will be shown in ~~read-only-mode~~ to prevent the user from accidentally corrupting an encrypted file. This is useful for partly encrypted files, where only a single line might be encrypted.

~~elpaca~~ + ~~use-package~~ #+begin_example (defun sops-setup-env () "Set environment variable for SOPS" (when (string-match "arn:aws:kms.*:\([[:digit:]]+\):" (buffer-string)) (pcase (match-string-no-properties 1 (buffer-string)) ("111111111111" (setenv "AWS_PROFILE" "dev")) ("222222222222" (setenv "AWS_PROFILE" "stage")) ("333333333333" (setenv "AWS_PROFILE" "prod")) (x (message "No matching AWS Profile for %s" x)))))

(use-package sops :ensure (:type git :host github :repo "djgoku/sops") :bind (("C-c C-c" . sops-save-file) ("C-c C-k" . sops-cancel) ("C-c C-d" . sops-edit-file)) :init (setq sops-before-encrypt-decrypt-hook 'sops-setup-env) (global-sops-mode 1)) #+end_example

** Custom Variables

| Variable | Description | |----------------------------------+-----------------------------------------------------------------| | sops-executable | Path to SOPS executable. Defaults to ~~sops~~ | | sops-decrypt-args | SOPS decrypt arguments. Defaults to ~~("-d")~ | | sops-extra-encrypt-args | SOPS additional encrypt arguments. Defaults to ~()~~ | | sops-before-encrypt-decrypt-hook | Run function before encrypting or decrypting. Defaults to ~~nil~~ |

** Age SSH

#+BEGIN_QUOTE Use ~~sops-extra-encrypt-args~~ to create a two-element list, like ~~’(“-a” “,”)~~. The first element is the age switch -a, and the second element is a single string separating SSH keys with commas if using multiple. #+END_QUOTE

With the addition of ~~sops-extra-encrypt-args~~, Age SSH and likely other uses are possible. It’s also a convenience feature for age.

https://github.com/FiloSottile/age?tab=readme-ov-file#ssh-keys https://github.com/getsops/sops/blob/775335db220e812431a0e7d159ff816e3399348c/README.rst?plain=1#L236 ** Future

Add a variable to auto-decrypt when we enter an encrypted file when ~~global-sops-mode~~ is enabled.
Create new SOPS encrypted files via ~~sops-mode~~.
If we fail to encrypt (sops < 3.9), we need to revert changes to original-file to encrypted state and switch back to decrypted buffer.
- We should also show the error buffer too.