A Weekend With sops and age

May 11th, 2026 -Ben

They seem almost too easy. It’s safe to git commit my secrets now? A keyfile can really be that easy to read? I looked into sops and age this weekend and like what I found. I host a little wedding countdown timer for my family weddings. The data isn’t super secret, but I also don’t need to make it super public. So I’ve kept it out of version control. I deploy from my own machine, so it just lived there for a while. Then I wrote a script to load it from my password manager.

But sops takes a different approach. As a CNCF Sandbox project donated by Mozilla, it encrypts values in the same structured format you use it in. It keeps the keys in the file so it’s easy to see what has changed in a diff. Then, because the values are all encrypted, you can just commit the file to your git repo!

Editing happens with the sops command, which decrypts and opens the file in your editor, then re-encrypts it after closing, pretty snazzy! sops does the structured part, but what keys do you encrypt with? It seems sops integrates with a lot of cloud options, but age caught my eye. It’s a single Go binary with short keys and is capable of using ssh keys as well. Public keys can be put in .sops.yaml for sops to load, specifying age with the age key. Then when decrypting, age private keys live in ~/.config/sops/age/keys.txt. All your keys in a simple text file with comments!

The combo really shines when you realize you can encrypt with multiple public keys. I followed parts of this dchost tutorial and want to continue with the systemd stuff too.

Send your coworkers encrypted messages

Github lets you easily download public ssh keys for anyone using https://github.com/<username>.keys. You can download the keys for all of your coworkers then encrypt a message that any of them can descrypt with the ssh key they already use for github! Not a long term solution, maybe, but pretty cool that it’s so simple.

echo "secret message" > msg # put secret message in here
mkdir -p keylists/
# can repeat with multiple coworkers
curl -L https://github.com/<username>.keys > keylists/<username>
cat keylists/* | age --encrypt --armor -R - msg > msg.age

Send it in any text channel (Slack? WhatsApp? IRC?) and let them decrypt!

age --decrypt -i ~/.ssh/gh msg.age # will print to terminal

I would print you an example, but I don’t know you yet! It’s so much simpler than gpg or any other provider I’ve used. Maybe I’ll use it in more places. sops has some other cool features like exec-env and exec-file, which seems like really cool ways to never need to decrypt the file on your machine at all. One less operational worry!

Enjoy explaining both of these names to your coworkers, hopefully they’ll be happy using it no matter how they decide to pronounce them.