Identities

SOPS supports PGP, age, various KMSes, and key groups to give access to SOPS encrypted files.
PGP / GnuPG

You can use PGP / GnuPG to encrypt data.

Age

You can use age keys to encrypt data.

Amazon AWS KMS

You can use Amazon AWS’ KMS to encrypt data.

Azure KMS

You can use Azure’s KMS to encrypt data.

Google Cloud KMS

You can use Google Cloud’s KMS to encrypt data.

HashiCorp Vault / OpenBao

You can use HashiCorp Vault or OpenBao to encrypt data.

HuaweiCloud KMS

You can use HuaweiCloud’s KMS to encrypt data.

Key groups

Key groups allow to require multiple identities together to edit or decrypt a file.

Config file

How to use .sops.yaml config files to select which identities to use for new files.

Last modified May 15, 2026: Add page descriptions. (533bbed)