Skip to content

Commit 3b973b6

Browse files
committed
Document how to encrypt and decrypt via pipes.
Signed-off-by: Felix Fontein <felix@fontein.de>
1 parent b93d1dd commit 3b973b6

File tree

1 file changed

+33
-1
lines changed

1 file changed

+33
-1
lines changed

README.rst

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -323,7 +323,39 @@ Now you can encrypt a file using::
323323

324324
And decrypt it using::
325325

326-
$ sops --decrypt test.enc.yaml
326+
$ sops --decrypt test.enc.yaml
327+
328+
329+
Encrypting and decrypting from other programs
330+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
331+
332+
When using ``sops`` in scripts or from other programs, there are often situations where you do not want to write encrypted or decrypted data to disk. The best way to avoid this is to pass data to SOPS via stdin, and to let SOPS write data to stdout. By default, the encrypt and decrypt operations write data to stdout already. To pass data via stdin, you need to pass ``/dev/stdin`` as the input filename. Please note that this only works on Unix-like operating systems such as macOS and Linux. On Windows, you have to use named pipes.
333+
334+
To decrypt data, you can simply do:
335+
336+
.. code:: sh
337+
338+
$ cat encrypted-data | sops --decrypt /dev/stdin > decrypted-data
339+
340+
To control the input and output format, pass ``--input-type`` and ``--output-type`` as appropriate. By default, ``sops`` determines the input and output format from the provided filename, which is ``/dev/stdin`` here, and thus will use the binary store which expects JSON input and outputs binary data on decryption.
341+
342+
For example, to decrypt YAML data and obtain the decrypted result as YAML, use:
343+
344+
.. code:: sh
345+
346+
$ cat encrypted-data | sops --input-type yaml --output-type yaml --decrypt /dev/stdin > decrypted-data
347+
348+
To encrypt, it is important to note that SOPS also uses the filename to look up the correct creation rule from ``.sops.yaml``. Likely ``/dev/stdin`` will not match a creation rule, or only match the fallback rule without ``path_regex``, which is usually not what you want. For that, ``sops`` provides the ``--filename-override`` parameter which allows you to tell SOPS which filename to use to match creation rules:
349+
350+
.. code:: sh
351+
352+
$ echo 'foo: bar' | sops --filename-override path/filename.sops.yaml --encrypt /dev/stdin > encrypted-data
353+
354+
SOPS will find a matching creation rule for ``path/filename.sops.yaml`` in ``.sops.yaml`` and use that one to encrypt the data from stdin. This filename will also be used to determine the input and output store. As always, the input store type can be adjusted by passing ``--input-type``, and the output store type by passing ``--output-type``:
355+
356+
.. code:: sh
357+
358+
$ echo foo=bar | sops --filename-override path/filename.sops.yaml --input-type dotenv --encrypt /dev/stdin > encrypted-data
327359
328360
329361
Encrypting using Hashicorp Vault

0 commit comments

Comments
 (0)