The Lens

SOPS encrypts secret values in your config files while leaving field names in plain text, so you can safely store secrets in git. You can see that a file has a `database_password` field, but the value is encrypted gibberish until you decrypt it.

This is elegant because your secrets live in version control alongside your code. No separate secrets server, no external service, no extra infrastructure. The encrypted files are diffable in git. You can see that someone changed the database password even though you can't read the new value.

SOPS supports AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, and age (a simple file-based key) for encryption. It works with YAML, JSON, ENV, and INI files. The workflow: edit the file with `sops secrets.yaml`, it decrypts in your editor, you make changes, it re-encrypts on save.

The catch: SOPS is for storing secrets, not managing access to them. There's no audit log of who accessed what, no dynamic credential rotation, no fine-grained permissions. For a team of 3 sharing a dozen secrets, SOPS is perfect. For a team of 50 with compliance requirements, you need Vault. Also, key management is on you; if you lose your encryption key and don't have KMS, your secrets are gone forever.