CoursesSOPSBeginner

Editing & the workflow

sops <file> and diffs.

Intermediate10 min · lesson 4 of 12

The everyday workflow is not encrypt/decrypt by hand but sops <file>, which opens the encrypted file in your editor decrypted, and re-encrypts it automatically when you save. You edit secrets as if they were plaintext, but the file on disk (and in Git) stays encrypted the whole time — SOPS decrypts into a temp buffer, lets you edit, and re-encrypts on save. This is what makes living with encrypted secrets practical.

THE sops <file> EDIT CYCLE
1Encrypted file at rest
ENC[...] values committed in Git
2sops <file>
decrypts into a temp buffer
3Edit in $EDITOR
change values as normal YAML
4Save & quit
SOPS re-encrypts automatically
5File stays encrypted
git diff shows which value changed
Plaintext exists only transiently in a temp buffer; the file in Git stays encrypted throughout.
terminal
$ sops secrets.enc.yaml # opens decrypted in $EDITOR; re-encrypts on save
# add/change a value like normal YAML, save, quit — the file stays encrypted
$ git diff secrets.enc.yaml # shows a meaningful diff: which ENC[...] value changed

Diffs and review

Because structure stays readable, Git diffs show which keys were added or changed even though values are ciphertext — enough for a reviewer to sanity-check a secret change (“this PR rotates db_password and adds redis_password”) without seeing the values. For deeper review, SOPS integrates with git so tooling can show a decrypted diff to authorized reviewers. The result is that secret changes go through the same PR review as everything else, with the values protected.

.gitattributes
# optional: let `git diff` show a decrypted diff for authorized users
secrets.enc.yaml diff=sopsdiffer
# git config diff.sopsdiffer.textconv "sops -d"
A crashed editor can leave a plaintext temp file
sops <file> decrypts into a temporary file for editing; a crash or a kill mid-edit can, in rare cases, leave a decrypted temp behind. Use SOPS from a machine you trust, be aware of where your editor writes temp/swap files, and never point sops at a file synced to a cloud drive that might capture the plaintext buffer. The convenience of in-place editing means plaintext exists transiently — keep that transient exposure on trusted ground.