Skip to content
Content only available in english

How to add and update encrypted files

This guide assumes SOPS and age are already set up on your machine. If not, follow How to set up SOPS with age keys first.

Add a new encrypted file

Open SOPS on the new filename directly — SOPS will create the file if it does not exist:

sh
sops integrationm/scripts/secrets.groovy.enc

Write the content in the editor and save. SOPS encrypts using the rules defined in .sops.yaml and writes integrationm/scripts/secrets.groovy.enc. Commit and deploy as usual:

sh
git add integrationm/scripts/secrets.groovy.enc
git commit

On the next cob-cli deploy, the .enc file is transferred to the server and decrypted automatically. The server will have both integrationm/scripts/secrets.groovy.enc and integrationm/scripts/secrets.groovy in the live directory.

Convert an existing cleartext file

If a file is already in the repository and on the server in plaintext, use this process to encrypt it without disrupting the running application.

Encrypt the existing file and remove the plaintext from the repository:

sh
sops --encrypt integrationm/scripts/secrets.groovy > integrationm/scripts/secrets.groovy.enc
git rm integrationm/scripts/secrets.groovy
git add integrationm/scripts/secrets.groovy.enc
git commit

On the next deploy, the .enc file is uploaded and cob-decrypt produces integrationm/scripts/secrets.groovy on the server, replacing the previous cleartext version. The application sees no interruption.

Note: The cleartext file remains in the git history. Anyone with access to the repository can still read the secrets from previous commits. All secrets in the file should be rotated after this change is deployed.

Update an existing encrypted file

The simplest way to edit an encrypted file is to let SOPS decrypt it, open it in your editor, and re-encrypt it on save:

sh
sops integrationm/scripts/secrets.groovy.enc

When you close the editor, SOPS writes the updated encrypted content back to integrationm/scripts/secrets.groovy.enc. Commit and deploy as usual.