Submit
SOPS logo

SOPS

Encrypt files in Git with KMS/age/PGP — secrets management without a server

Replaces
HashiCorp Vault
22k Go MPL-2.0 1 month ago

Overview

SOPS (Secrets OPerationS) is a CNCF tool for managing secrets by encrypting individual values inside YAML, JSON, ENV, and other files, so secrets can live safely in Git. It integrates with AWS/GCP/Azure KMS, age, and PGP for key management and is widely used in GitOps and infrastructure-as-code workflows. There is no server to run — it is a CLI/library.

Key features

  • Encrypts individual values inside YAML, JSON, ENV, and other files
  • Integrates with AWS, GCP, and Azure KMS plus age and PGP for key management
  • Lets encrypted secrets live safely in Git for GitOps workflows
  • Operates as a CLI and library with no server to run

Our take

SOPS solves a very specific problem well: it encrypts the values inside structured config files so secrets can sit in Git without being exposed, while keys are diffable. Because it's a CNCF CLI and library with no server, the operational burden is near zero, which is reflected in its 1/5 difficulty rating and is the whole reason it's so popular in GitOps and IaC pipelines. Its KMS, age, and PGP integrations mean you can lean on cloud key management you may already run. The important caveat is that SOPS is not a Vault replacement in scope: it has no dynamic secrets, leasing, revocation, or audit-server, so calling it an alternative to HashiCorp Vault only holds for the static-secrets-in-files use case. If that's your need it's close to ideal; if you need centralized runtime secret brokering, you'll still want something else.

Ideal for: Infrastructure and platform engineers running GitOps or IaC who want secrets in version control without standing up a Vault server.

Where it falls short of HashiCorp Vault

  • Not a centralized secrets server: no dynamic secrets, leasing, revocation, or audit log like Vault
  • Requires an external key provider (KMS/age/PGP) and disciplined key management
  • No UI, access policies, or web dashboard
  • Suited to config-file secrets in Git, not runtime secret brokering

We list the gaps honestly so you can decide if the trade-off is worth owning your data.

Tags

secrets
gitops
encryption
kms
age
cncf
Maintain SOPS?

Claim this listing to keep it accurate, add a deploy template, or feature it on relevant pages.

Claim / suggest an editGet featured
Show off your self-host difficulty score

Embed the SOPS difficulty badge in your README — it links back here.

Self-host difficulty badge← add this to your README
[![Self-host difficulty](https://openreplace.com/api/badge/sops)](https://openreplace.com/sops)

Similar open-source projects

Other self-hostable tools in the same space worth comparing.

Vaultwarden

Lightweight Bitwarden-compatible server written in Rust, perfect for self-hosting

50k Rust AGPL-3.0 5 days ago
2/5
Details & deploy →Repo
SOPS vs Vaultwarden
Infisical

Open-source secrets management platform for developers and teams

19k TypeScript MIT 3 days ago
3/5
Details & deploy →Repo
SOPS vs Infisical
Bitwarden Server

Official open-source server for the Bitwarden password manager

17k C# AGPL-3.0 5 days ago
3/5
Details & deploy →Repo
SOPS vs Bitwarden Server
OpenBao

Open-source secrets management forked from HashiCorp Vault under the Linux Foundation

6.5k Go MPL-2.0 26 days ago
4/5
Details & deploy →Repo
SOPS vs OpenBao