CoursesSOPSIntermediate

.sops.yaml creation rules

Automate which key encrypts what.

Intermediate12 min · lesson 6 of 12

Running sops -e with the right recipients by hand for every file is error-prone, so SOPS reads a .sops.yaml config from the repo that declares creation rules: which key(s) to encrypt with, and which encrypted-regex to apply, based on the file path or a regex. With it in place, a contributor just runs sops <file> and the correct keys and settings are applied automatically — no one has to remember the right --age or --kms flag.

CREATION RULES: FIRST MATCH WINS
1Run sops <file>
contributor needs no --age/--kms flag
2Read .sops.yaml
walk creation_rules top to bottom
3Match path_regex
first rule whose regex matches the path
4Apply that rule
its keys + encrypted_regex
5Encrypt to correct recipients
prod path -> prod key
Order rules most-specific to most-general, or a broad rule can catch prod files meant for a stricter key.
.sops.yaml
creation_rules:
# prod files -> the prod KMS key
- path_regex: secrets/prod/.*\.yaml$
kms: arn:aws:kms:us-east-1:...:key/prod-key
# everything else -> the team age key
- path_regex: .*\.yaml$
age: age1team...,age1backup...
encrypted_regex: '^(password|token|.*_key)$'

Consistency and correctness

The .sops.yaml is where you enforce your scheme: prod secrets always go to the prod key, dev to the dev key, the right fields always get encrypted. It removes the human step where mistakes happen (wrong key, missed field). Commit it to the repo so the rules travel with the code and every contributor — and every automated re-encrypt — uses the same recipients. It is the equivalent of a policy for how secrets in this repo are encrypted.

Match rules to paths carefully — the first match wins
SOPS applies the first creation rule whose path_regex matches, so rule order and regex precision matter: a broad rule placed first can catch prod files meant for a stricter key, encrypting them to the wrong (perhaps broader) recipients. Order rules from most specific to most general, test that a prod path resolves to the prod key (sops -e then inspect the recipients), and review .sops.yaml changes as carefully as the secrets themselves.