Editing & the workflow
sops <file> and diffs.
The everyday workflow is not encrypt/decrypt by hand but sops <file>, which opens the encrypted file in your editor decrypted, and re-encrypts it automatically when you save. You edit secrets as if they were plaintext, but the file on disk (and in Git) stays encrypted the whole time — SOPS decrypts into a temp buffer, lets you edit, and re-encrypts on save. This is what makes living with encrypted secrets practical.
$ sops secrets.enc.yaml # opens decrypted in $EDITOR; re-encrypts on save# add/change a value like normal YAML, save, quit — the file stays encrypted$ git diff secrets.enc.yaml # shows a meaningful diff: which ENC[...] value changed
Diffs and review
Because structure stays readable, Git diffs show which keys were added or changed even though values are ciphertext — enough for a reviewer to sanity-check a secret change (“this PR rotates db_password and adds redis_password”) without seeing the values. For deeper review, SOPS integrates with git so tooling can show a decrypted diff to authorized reviewers. The result is that secret changes go through the same PR review as everything else, with the values protected.
# optional: let `git diff` show a decrypted diff for authorized userssecrets.enc.yaml diff=sopsdiffer# git config diff.sopsdiffer.textconv "sops -d"