This version is under construction, please use an official release version

Work with Secrets using SOPS

Install the sops tool locally (version 3.7.1 is used in the automated pipeline).

Decrypt the file

Take the values of AGE secret (from and put it in a file, e.g. .age.txt.

export SOPS_AGE_KEY_FILE=.age.txt
sops -d kubermatic/kubermatic-configuration.yaml
sops -d kubermatic/values.yaml

With above commands, you will get on standard output the decrypted content of the files. You can also use -i option to use the in-place update of the file.

Make sure that you never commit the files with decrypted values inside your repository!

Encrypt the values

If you want to update some values or encrypt a new ones, you will need the AGE public key (set in AGE_PUBLIC_KEY variable) which is passed to the sops command.

sops -e --encrypted-regex 'secret|Secret|key|Key|password|hash' --age $AGE_PUBLIC_KEY kubermatic/values.yaml

You should decrypt the whole file if you are willing to update some parts, otherwise sops will complain that there the file has already some encrypted values.