SOPS · JSON Structure
Sops Config Structure
Structure of a .sops.yaml configuration file for SOPS creation rules and key management
Type: object
Properties: 0
Secrets ManagementEncryptionConfiguration ManagementDevOpsSecurityKubernetesCNCF
Sops Config Structure is a JSON Structure definition published by SOPS.
Meta-schema:
JSON Structure
{
"title": "SOPS Configuration Structure",
"description": "Structure of a .sops.yaml configuration file for SOPS creation rules and key management",
"type": "object",
"fields": [
{
"name": "creation_rules",
"type": "array",
"description": "Rules governing which keys to use when creating new encrypted files",
"items": {
"type": "object",
"fields": [
{
"name": "path_regex",
"type": "string",
"description": "Regex pattern matching file paths this rule applies to"
},
{
"name": "kms",
"type": "string",
"description": "Comma-separated list of AWS KMS key ARNs"
},
{
"name": "gcp_kms",
"type": "string",
"description": "Comma-separated list of GCP KMS resource IDs"
},
{
"name": "azure_keyvault",
"type": "string",
"description": "Azure Key Vault key URL"
},
{
"name": "age",
"type": "string",
"description": "Comma-separated list of age public keys"
},
{
"name": "pgp",
"type": "string",
"description": "Comma-separated list of PGP fingerprints"
},
{
"name": "encrypted_regex",
"type": "string",
"description": "Regex matching YAML/JSON keys whose values should be encrypted"
},
{
"name": "unencrypted_regex",
"type": "string",
"description": "Regex matching YAML/JSON keys whose values should NOT be encrypted"
},
{
"name": "key_groups",
"type": "array",
"description": "Key groups for Shamir Secret Sharing multi-factor access",
"items": {
"type": "object",
"fields": [
{ "name": "kms", "type": "array", "items": "object" },
{ "name": "pgp", "type": "array", "items": "string" },
{ "name": "age", "type": "array", "items": "string" }
]
}
},
{
"name": "shamir_threshold",
"type": "integer",
"description": "Minimum number of key groups required for decryption"
}
]
}
}
]
}