sops

sops manages secrets stored in regular files by encrypting the sensitive values while keeping surrounding YAML, JSON, dotenv, or INI structure intact. It supports age, PGP, Vault transit, and several cloud KMS backends, so teams can keep secrets in Git and still operate on them from the shell.

• Encrypt and decrypt structured secret files without flattening them into a separate secrets store, so they remain reviewable and versionable.
• Rotate data keys, add or remove recipients, and update key groups across existing files with rotate, updatekeys, and .sops.yaml rules.
• Set or unset specific document paths, inject decrypted values into subprocess environments or temp files, and publish re-encrypted material to S3, GCS, or Vault.

• Core commands take explicit files, stdin/stdout, and flags, so decrypt, set, unset, rotate, updatekeys, and the exec helpers fit shell scripts and CI well.
• Machine-readable output exists, but it is limited: filestatus emits JSON while most other commands return file contents or human-oriented errors.
• Best as a local secrets primitive inside a larger workflow, especially when a skill supplies the right key sources, paths, and .sops.yaml conventions.

• Many useful flows depend on external credentials or local key material for age, PGP, Vault, or cloud KMS backends.
• sops edit is editor-driven and some key-update flows prompt unless you opt into non-interactive flags, so unattended automation should stick to the non-interactive subcommands.