Back to the course
Test yourself

SOPS

Final exam · 13 questions · answers explained as you pick
Beginner
4 questions
01SOPS solves which problem?
Incorrect — unrelated.
Correct — ciphertext is safe to commit and review.
Incorrect — no.
Incorrect — no.
02Compared with base64 (k8s Secrets), SOPS…
Correct — security reduces to protecting the key.
Incorrect — no — encoding vs encryption.
Incorrect — the opposite.
Incorrect — it encrypts values.
03Partial encryption means…
Incorrect — no — structure stays readable.
Incorrect — no.
Correct — review that a secret changed without seeing it.
Incorrect — no.
04The everyday edit workflow is…
Incorrect — that leaves a plaintext file around; there is a cleaner way.
Correct — edit as plaintext; the file on disk stays encrypted.
Incorrect — you cannot meaningfully.
Incorrect — not how SOPS works.
4 questions · explanations appear as you answer
Intermediate
4 questions
01Why is cloud KMS generally stronger than an age key file for SOPS?
Correct — no key file to leak; access is controlled and logged.
Incorrect — not the point.
Incorrect — it needs cloud creds with kms:Decrypt.
Incorrect — no.
02.sops.yaml creation rules…
Incorrect — no.
Correct — contributors just run sops; the right recipients apply automatically.
Incorrect — no.
Incorrect — no.
03A too-narrow --encrypted-regex risks…
Incorrect — not the risk.
Incorrect — the opposite risk.
Correct — encrypt broadly by default and verify every secret shows ENC[...].
Incorrect — no.
04Removing a recipient with updatekeys…
Correct — they may hold an old copy or remember the value.
Incorrect — not by itself — rotate the secret too.
Incorrect — no.
Incorrect — no — that is a separate rotation.
4 questions · explanations appear as you answer
Advanced
5 questions
01In GitOps, SOPS lets Flux/Argo…
Incorrect — no.
Correct — ciphertext in Git; decryption in-cluster.
Incorrect — the opposite.
Incorrect — no.
02The safest way to give CI SOPS decrypt access is…
Incorrect — never.
Incorrect — a standing liability if the runner is compromised.
Correct — short-lived, audited; keep plaintext out of logs/artifacts.
Incorrect — leaks them.
03A subtle trap when Terraform reads a secret (e.g. via the Vault provider) is…
Correct — pulling from Vault removes it from .tf/tfvars but not from state — protect the backend.
Incorrect — it can, via the provider.
Incorrect — no.
Incorrect — no.
04How do SOPS and Vault differ?
Incorrect — no — different models.
Correct — SOPS = files + a key; Vault = infra + dynamic issuance/leasing.
Incorrect — no.
Incorrect — that is Vault’s job, not SOPS.
05The common thread across SOPS, Sealed Secrets, ESO, and Vault is…
Incorrect — all rely on a protected root of trust.
Incorrect — none is without you protecting the key/store.
Correct — choose for workflow; then guard whatever it makes central.
Incorrect — the opposite.
5 questions · explanations appear as you answer