encrypt secrets with SOPS

Generate an age keypair and save it to age.agekey. The public key is used for encryption; keep the private key safe — you'll need it to decrypt.

1$ age-keygen -o age.agekey
2Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg

Store the private key as a Kubernetes secret in the flux-system namespace so Flux's SOPS decryption provider can use it to decrypt manifests at apply time.

1cat age.agekey |
2kubectl create secret generic sops-age \
3--namespace=flux-system \
4--from-file=age.agekey=/dev/stdin

Encrypt a Kubernetes secret YAML in-place using SOPS. Only fields matching data or stringData are encrypted, leaving the rest of the manifest readable.

1sops --age=age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg \
2--encrypt --encrypted-regex '^(data|stringData)$' --in-place basic-auth.yaml

[[202601191659]] — Create 1Password token for ExternalSecrets
[[202602151513]] — External secrets & 1Password ordering issue
[[202603201327]] — Moving cluster to Hetzner (uses SOPS/Age)
[[moc-security]]

#atomic

last updated: 2026-04-29

Related Notes #