sopsy — encrypted team secrets in Git, unlocked with Touch IDcrates.io ↗GitHub ↗
A CLI for SOPS · age · Apple Secure Enclave<br>YubiKey Linux Support Coming Soon<br>Encrypted secrets you can actually commit to Git.<br>Decrypt with Touch ID
Plaintext is never in the repo, never in Slack. Sleep soundly at night.<br>sopsy encrypts the secrets in your .env, .yml, and .json files — values only, names left in the clear. The file stays diffable and git blame-able, so you can see exactly when each key appeared and who added it, then commit the whole thing without flinching. Every teammate's key is minted inside their Mac's Secure Enclave.
Secrets decrypt only on Touch ID, unless you used the --without-touch-id flag when you join. The private key never leaves the chip, and any current member can grant the next one access. No server. No subscription. No plaintext in Slack — or anywhere for that matter.<br>$brew install kigster/tap/sopsycopy<br>$cargo install sopsycopy
See the 60-second setup ↓
~/my-app — sopsy<br>sopsy init bootstrapping your encrypted repository ✔ git repository ✔ found sops > Generate a Secure Enclave identity? Yes ✔ created Secure Enclave identity (Touch ID) ℹ private key never leaves the Enclave ➜ public recipient age1se1q2a48h0242huw4… > Your name (key owner): Konstantin ✔ .sops.yaml ✔ .env.example ✔ .env.encrypted ✔ .gitignore ✔ .sopsy.yml ✔ .sopsy.sha > Set up a break-glass emergency key? Yes ✔ wrote break-glass.private + .public ⚠ store both offline in 1Password, then continue press ENTER once the keys are saved … ✔ removed local key files ✔ recorded break-glass in both config files ✔ repository bootstrapped
Built on SOPS + age — the encryption tools teams already trust. sopsy just makes them delightful.<br>crate v1.1 CI passing license MIT / Apache-2.0 🍎 Apple Silicon key never leaves the chip
✦SOPS encryption engine ✦age cryptography ✦age-plugin-se ✦Secure Enclave ✦Touch ID gated ✦Git-committed ciphertext ✦Zero plaintext leaks ✦Scriptable in CI ✦Self-service onboarding ✦Built-in audit trail ✦Tamper-evident config ✦SOPS encryption engine ✦age cryptography ✦age-plugin-se ✦Secure Enclave ✦Touch ID gated ✦Git-committed ciphertext ✦Zero plaintext leaks ✦Scriptable in CI ✦Self-service onboarding ✦Built-in audit trail ✦Tamper-evident config
Quick start<br>From zero to a whole team in seven steps.<br>Start (or enter) a git repository<br>git init my-app && cd my-app
Bootstrap everything<br>sopsy init — tools check, Secure Enclave identity, config files.
Put real secrets in<br>sopsy edit .env.encrypted decrypts to your editor and re-encrypts on save.
Verify hygiene before you commit<br>sopsy check — the same command your CI runs.
Commit the encrypted artifacts<br>git add .sops.yaml .sopsy.yml .sopsy.sha .env.example .env.encrypted .gitignore — plaintext .env is already gitignored. Push the ciphertext with confidence.
A teammate joins (self-service)<br>The new dev clones the repo and runs sopsy join "Alan Turing" — mints their own Secure Enclave key with Touch ID and records a pending request. They commit and open a PR.
An existing member approves<br>Any current member runs sopsy approve "Alan Turing" — vouches for the key, promotes it into .sops.yaml, and re-keys every secret. Who approved, and when, is recorded in .sopsy.yml — sopsy recipient list shows the whole audit trail. Now Alan can decrypt.
Watch the entire process live just below…
sopsy does not replace SOPS. It makes SOPS delightful.<br>🔑sopsy joinGenerate<br>age-plugin-se mints your keypair via Touch ID. The private key is sealed in the Secure Enclave; your public key is recorded pending in .sopsy.yml.
✅sopsy approveVouch & approve<br>You open a PR; any active member vouches and promotes your public key from pending into .sops.yaml’s recipient list — recording who approved you, and when, in .sopsy.yml.
🔁sops updatekeysRe-key secrets<br>Every encrypted file is re-wrapped for the new recipient set — so your key, and only listed keys, can open them.
✏️sopsy editEdit & commit<br>git pull, then Touch ID decrypts into your editor and re-encrypts on save. Commit the ciphertext; plaintext .env stays gitignored.
SOPS stays the encryption engine. age stays the cryptography. The Secure Enclave holds the private key.<br>sopsy orchestrates all three with safe defaults, great diagnostics, and a scriptable interface — so the right thing is finally the easy thing.
Why not just use sops?<br>You already can. sopsy removes the thirteen ways you can get it wrong.
Everything here runs sops + age under the hood. The difference is the friction — the steps you have to remember, the flags you have to know, and the safety rails that aren't there until you build them.
Task<br>raw sops + age<br>with sopsy
Bootstrap a repo<br>✕Hand-write .sops.yaml creation_rules, craft .gitignore rules, build .env.example, then encrypt by hand.
→One idempotent command writes every file and seeds an encrypted .env.encrypted for you.
sopsy init
Get a hardware identity<br>✕Run age-plugin-se keygen, copy the public key, paste it into config...