Encrypt secrets with SOPS

Generate an age keypair and save it to age.agekey. The public key is used for encryption; keep the private key safe — you’ll need it to decrypt.

$ age-keygen -o age.agekey
Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg

Store the private key as a Kubernetes secret in the flux-system namespace so Flux’s SOPS decryption provider can use it to decrypt manifests at apply time.

cat age.agekey |
kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=age.agekey=/dev/stdin

Encrypt a Kubernetes secret YAML in-place using SOPS. Only fields matching data or stringData are encrypted, leaving the rest of the manifest readable.

sops --age=age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg \
--encrypt --encrypted-regex '^(data|stringData)$' --in-place basic-auth.yaml