Securing Secrets with Mozilla SopS and AGE: A Powerful Combo

Dec 1, 2023·
Georg Heiler
Georg Heiler
· 4 min read

With the ever-growing need to safeguard secrets and sensitive data, the challenge is to find tools that offer a balance between security and usability. One such pairing that stands out is Mozilla’s SopS in combination with AGE for encryption. In this blog post, we’ll dive deep into the benefits of this duo, touching on simplicity, version control, encryption, and even offer a hands-on example.

What is SopS?

SopS is a secret management tool developed by Mozilla. It’s designed for encrypting secrets in files that can be stored in a version control system like GIT. Rather than encrypting the entire file, SopS encrypts only the specific parts of a file that contain secrets, leaving the rest of the file (like structure and comments) in plain text. This means that you can still track changes and maintain version history without compromising security. Furthermore, SopS supports a variety of secret backends i.e. cloud KMS and Hashicorp vault. SopS additionally works in a binary mode where full files can be encrypted.

Introducing AGE

AGE (Actually Good Encryption) is a simple, modern and secure encryption tool with small explicit threat models. Built on the foundations of strong cryptographic primitives, AGE focuses on being simple to use while retaining powerful encryption capabilities.

Why Pair SopS with AGE?

  1. Simplicity: One of the primary benefits of using AGE is its simplicity. With a straightforward CLI and easy-to-understand encryption and decryption commands, it reduces the chance of human error. When integrated with SopS, you get the combined power of both tools intuitively.

  2. Version Control Compatibility: Since SopS encrypts only the secrets and not the entire file, it plays well with version control systems. You can visualize diffs, track changes, and maintain an audit trail of modifications without revealing the actual secrets.

  3. Strong Encryption: AGE boasts robust encryption capabilities. It uses modern encryption techniques, ensuring that your data remains confidential and safe from potential breaches.

Code Example: Encryption and Decryption with SopS and AGE

First, generate an AGE keypair:

age-keygen -o age.key

This will produce a public key string that you can use for encryption and a private key saved in age.key for decryption.

Next, use SopS to encrypt a file using the AGE public key:

sops --age age_public_key -e secrets.yaml > secrets.enc.yaml

Where age_public_key is the public key string generated in the first step and secrets.yaml is your plaintext file.

To decrypt the file, use:

sops --age age.key -d secrets.enc.yaml

And there you have it. The encrypted file (secrets.enc.yaml) can be safely stored in version control, while the original secrets remain safe and sound.

A 2nd example for docker-compose

The first example outlined the convenient structure-preserving encryption mechanisms for i.e. yaml files. Such files are oftentimes used for kubernets configuration or helm.

However, there are many smaller software projects out there potentially only based on docker compose and some .env files which hold the secrets. I have seen too many projects in the wild committing the .env files or other secrets accidentally to the repository. Instead, we can use the same mechanism as above to encrypt the .env files. However, there is no default parser for them. Instead, we can simply encrypt the files as binary files.

This is an example using a Makefile to encrypt and decrypt files in this way:

FILES_TO_ENCRYPT = .env


.PHONY: secrets-encrpyt
## encrypt secrets with SOPS and AGE
secrets-encrpyt:
	for file in $(FILES_TO_ENCRYPT); do \
		echo "Encrypting: $$file"; \
		sops --encrypt --age $(ASCII_SOPS_AGE_PUBLIC_KEY) --input-type binary --output-type binary $${file} > $${file}.enc; \
	done


.PHONY: secrets-decrypt
## encrypt secrets with SOPS and AGE
secrets-decrypt:
	export SOPS_AGE_KEY_FILE=key.txt; \
	for file in $(FILES_TO_ENCRYPT); do \
		echo "Decrypting: $$file"; \
		sops --decrypt --input-type binary --output-type binary $${file}.enc > $${file}; \
	done

Wrapping Up

The fusion of Mozilla’s SopS and AGE presents an elegant solution for the perennial problem of securely managing secrets in version-controlled environments. With simplicity, robust encryption, and seamless integration with VCS, this combination ensures that IT security is both formidable and manageable. If you’re on the hunt for a reliable and efficient method for safeguarding your secrets, it might be time to give this pair a try.


The image was generated using Firefly by Adobe. Parts of the text were neatly generated by ChatGPT.