# ol.sops

An extremely tiny and simple wrapper around the awesome sops (previously known as mozilla/sops)

## ol.sops

# ol.sops

## sops

```clojure
(sops cmd)
(sops cmd args-or-opts)
(sops cmd args & opts)
```

A simple wrapper around babashka.process for calling sops.

You can call `sops` like this:

(sops :command ["args vector"] :opt "value" :opt2 "value2")

There are several special opts, that are handled by ol.sops:
:in - An input stream than can be passed to sops
:out - :string if you want to get a string back, nil (the default) will return an output stream you can slurp
:dir - The working directory. Defaults to the current working directory
:sops-path - Path to the sops binary. Defaults to `sops`
:env - a map of environment variables that are passed to the process

All other opts are passed to the `sops` CLI. Consult `sops CMD --help` to see available options.
To pass flags like `--verbose` use `:verbose true`. Always use full names of the options, not the short versions like -v.

Refer to `babashka.process/process` for the exact behavior of: :in, :out, :dir, and the exact nature of the return value.

Returns a record with (among other things, see `babashka.process/process`):
 - `:out` the output stream
 - `:exit` the exit code of sops
 - `:err` a string containing the stderr output from sops, if any

If you `clojure.core/deref` the record, then it will block until the process has exited.
If you slurp from the out stream, it will also block until the process has exited.

Usage examples
--------------
Decrypt file in place
@(sops :decrypt ["secrets.sops.yaml"] :in-place)

Decrypt file to a string
(slurp (:out (sops :decrypt ["secrets.sops.yaml"])))

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L6-L46)

---

## decrypt-file-to-str

```clojure
(decrypt-file-to-str file opts)
```

Decrypts the path `file` and returns the output as a string. Sugar over [`sops`](#sops).

Options:
- `:input-type` - Override file type detection (yaml, json, env, ini, binary)
- `:output-type` - Override output format (yaml, json, env, ini, binary)
- Other SOPS options as documented in `sops decrypt --help`

Example:
```clojure
(decrypt-file "secrets.sops.yaml" {})
(decrypt-file "secrets.enc" {:input-type "yaml" :output-type "json"})
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L48-L62)

---

## encrypt-to-file

```clojure
(encrypt-to-file file plaintext opts)
```

Encrypts `plaintext` string and writes encrypted content to `file`. Sugar over [`sops`](#sops).

The `file` path is used to match creation rules in `.sops.yaml` and determine the file format.

Options:
- `:age` - Age recipient(s) to encrypt for (can be a single string or vector of strings)
- `:pgp` - PGP fingerprint(s) to encrypt for (can be a single string or vector of strings)
- `:gcp-kms` - GCP KMS resource ID(s) to encrypt with (can be a single string or vector of strings)
- `:azure-kv` - Azure Key Vault URL(s) to encrypt with (can be a single string or vector of strings)
- `:kms` - AWS KMS ARN(s) to encrypt with (can be a single string or vector of strings)
- `:aws-profile` - The AWS profile to use for requests to AWS
- Other SOPS options as documented in `sops encrypt --help`

Example:
```clojure
(encrypt-to-file "secrets.sops.yaml" "foo: bar"  {:age "age1..."})
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L64-L83)

---

## with-process-opts

_macro_

```clojure
(with-process-opts env-map & body)
```

An escape hatch that executes body with additional babashka/process options merged into the process call.

Example:
```clojure
;; Override the environemnt
(with-process-opts {:extra-env {:SOPS_AGE_KEY_FILE "/some/path/to/keys.txt"}}
  (sops :decrypt ["secrets.yaml"]))
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L85-L96)

## Changelog

# Changelog

All notable changes to this project will be documented in this file.

This project uses https://www.taoensso.com/break-versioning[*Break
Versioning*].

## ++[++UNRELEASED++]++

## `v0.1.0` (2025-10-03)

This is the first public release of this codebase under the `ol.sops`
name.

Please report any problems and let me know if anything is unclear,
inconvenient, etc. Thank you! 🙏

## <code>ol.sops</code>

# `ol.sops`

> An extremely tiny and simple wrapper around the awesome sops (previously
> known as mozilla/sops)

![doc](https://img.shields.io/badge/doc-outskirtslabs-orange.svg)
![status: maturing](https://img.shields.io/badge/status-maturing-yellow.svg)
![alt=built with garnix](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Foutskirtslabs%2Fsops)
https://clojars.org/com.outskirtslabs/sops[image:https://img.shields.io/clojars/v/com.outskirtslabs/sops.svg[Clojars
Project]]

This is intended for [babashka](https://babashka.org/) and JVM clojure and
provides an idiomatic and data driven wrapper around the CLI tool.

Project status: **[Maturing](https://docs.outskirtslabs.com/open-source-vital-signs#maturing)**.

## Installation

```clojure
{:deps {com.outskirtslabs/sops {:mvn/version "0.1.0"}}}

;; Leiningen
[com.outskirtslabs/sops "0.1.0"]
```

## Quick Start

```clojure
(ns myapp.core
  (:require [ol.sops :as sops]))
  

;; decrypt a sops file to string
(sops/decrypt-file-to-str "dev/test.sops.yml"
                          {:env {"SOPS_AGE_KEY_FILE" "dev/keys.txt"}})
;; => "hello: world\n"

;; encrypt a plaintext to a sfile
@(sops/encrypt-to-file "output.sops.json"
                       (edn->json {:foo "bar"})
                       {:age "age15905pjs5av9nyh8rdt4zrzn7x0mdud20eyf7tsvz63mygvsfhd9sclsh94"})
```

## Documentation

* [Docs](https://docs.outskirtslabs.com/ol.sops/0.1/)
* [API Reference](https://docs.outskirtslabs.com/ol.sops/0.1/api)
* [Support via GitHub Issues](https://github.com/outskirtslabs/sops/issues)

## Security

See [here](https://github.com/outskirtslabs/sops/security) for security
advisories or to report a security vulnerability.

## License

Copyright © 2025 Casey Link casey@outskirtslabs.com

Distributed under the [MIT License](./LICENSE)

## Security policy

# Security policy

## Advisories

All security advisories will be posted
https://github.com/outskirtslabs/sops/security/advisories[on
GitHub].

## Reporting a vulnerability

Please report possible security vulnerabilities
https://github.com/outskirtslabs/sops/security/advisories[via
GitHub], or by emailing me at `casey@outskirtslabs.com`. You may encrypt
emails with [my public PGP key](https://casey.link/pgp.asc).

For the organization-wide security policy, see
[Outskirts Labs Security Policy](https://docs.outskirtslabs.com/security-policy).

Thank you!

— [Casey Link](https://casey.link)

## ol.sops

# ol.sops

## sops

```clojure
(sops cmd)
(sops cmd args-or-opts)
(sops cmd args & opts)
```

A simple wrapper around babashka.process for calling sops.

You can call `sops` like this:

(sops :command ["args vector"] :opt "value" :opt2 "value2")

There are several special opts, that are handled by ol.sops:
:in - An input stream than can be passed to sops
:out - :string if you want to get a string back, nil (the default) will return an output stream you can slurp
:dir - The working directory. Defaults to the current working directory
:sops-path - Path to the sops binary. Defaults to `sops`
:env - a map of environment variables that are passed to the process

All other opts are passed to the `sops` CLI. Consult `sops CMD --help` to see available options.
To pass flags like `--verbose` use `:verbose true`. Always use full names of the options, not the short versions like -v.

Refer to `babashka.process/process` for the exact behavior of: :in, :out, :dir, and the exact nature of the return value.

Returns a record with (among other things, see `babashka.process/process`):
 - `:out` the output stream
 - `:exit` the exit code of sops
 - `:err` a string containing the stderr output from sops, if any

If you `clojure.core/deref` the record, then it will block until the process has exited.
If you slurp from the out stream, it will also block until the process has exited.

Usage examples
--------------
Decrypt file in place
@(sops :decrypt ["secrets.sops.yaml"] :in-place)

Decrypt file to a string
(slurp (:out (sops :decrypt ["secrets.sops.yaml"])))

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L6-L46)

---

## decrypt-file-to-str

```clojure
(decrypt-file-to-str file opts)
```

Decrypts the path `file` and returns the output as a string. Sugar over [`sops`](#sops).

Options:
- `:input-type` - Override file type detection (yaml, json, env, ini, binary)
- `:output-type` - Override output format (yaml, json, env, ini, binary)
- Other SOPS options as documented in `sops decrypt --help`

Example:
```clojure
(decrypt-file "secrets.sops.yaml" {})
(decrypt-file "secrets.enc" {:input-type "yaml" :output-type "json"})
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L48-L62)

---

## encrypt-to-file

```clojure
(encrypt-to-file file plaintext opts)
```

Encrypts `plaintext` string and writes encrypted content to `file`. Sugar over [`sops`](#sops).

The `file` path is used to match creation rules in `.sops.yaml` and determine the file format.

Options:
- `:age` - Age recipient(s) to encrypt for (can be a single string or vector of strings)
- `:pgp` - PGP fingerprint(s) to encrypt for (can be a single string or vector of strings)
- `:gcp-kms` - GCP KMS resource ID(s) to encrypt with (can be a single string or vector of strings)
- `:azure-kv` - Azure Key Vault URL(s) to encrypt with (can be a single string or vector of strings)
- `:kms` - AWS KMS ARN(s) to encrypt with (can be a single string or vector of strings)
- `:aws-profile` - The AWS profile to use for requests to AWS
- Other SOPS options as documented in `sops encrypt --help`

Example:
```clojure
(encrypt-to-file "secrets.sops.yaml" "foo: bar"  {:age "age1..."})
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L64-L83)

---

## with-process-opts

_macro_

```clojure
(with-process-opts env-map & body)
```

An escape hatch that executes body with additional babashka/process options merged into the process call.

Example:
```clojure
;; Override the environemnt
(with-process-opts {:extra-env {:SOPS_AGE_KEY_FILE "/some/path/to/keys.txt"}}
  (sops :decrypt ["secrets.yaml"]))
```

[source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L85-L96)

## Changelog

# Changelog

All notable changes to this project will be documented in this file.

This project uses https://www.taoensso.com/break-versioning[*Break
Versioning*].

## ++[++UNRELEASED++]++

## `v0.1.0` (2025-10-03)

This is the first public release of this codebase under the `ol.sops`
name.

Please report any problems and let me know if anything is unclear,
inconvenient, etc. Thank you! 🙏

## <code>ol.sops</code>

# `ol.sops`

> An extremely tiny and simple wrapper around the awesome sops (previously
> known as mozilla/sops)

![doc](https://img.shields.io/badge/doc-outskirtslabs-orange.svg)
![status: maturing](https://img.shields.io/badge/status-maturing-yellow.svg)
![alt=built with garnix](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Foutskirtslabs%2Fsops)
https://clojars.org/com.outskirtslabs/sops[image:https://img.shields.io/clojars/v/com.outskirtslabs/sops.svg[Clojars
Project]]

This is intended for [babashka](https://babashka.org/) and JVM clojure and
provides an idiomatic and data driven wrapper around the CLI tool.

Project status: **[Maturing](https://docs.outskirtslabs.com/open-source-vital-signs#maturing)**.

## Installation

```clojure
;; deps.edn
{:deps {com.outskirtslabs/sops {:mvn/version "0.1.0"}}}

;; Leiningen
[com.outskirtslabs/sops "0.1.0"]
```

## Quick Start

```clojure
(ns myapp.core
  (:require [ol.sops :as sops]))
  

;; decrypt a sops file to string
(sops/decrypt-file-to-str "dev/test.sops.yml"
                          {:env {"SOPS_AGE_KEY_FILE" "dev/keys.txt"}})
;; => "hello: world\n"

;; encrypt a plaintext to a sfile
@(sops/encrypt-to-file "output.sops.json"
                       (edn->json {:foo "bar"})
                       {:age "age15905pjs5av9nyh8rdt4zrzn7x0mdud20eyf7tsvz63mygvsfhd9sclsh94"})
```

## Documentation

* [Docs](https://docs.outskirtslabs.com/ol.sops/next/)
* [API Reference](https://docs.outskirtslabs.com/ol.sops/next/api)
* [Support via GitHub Issues](https://github.com/outskirtslabs/sops/issues)

## Security

See [here](https://github.com/outskirtslabs/sops/security) for security
advisories or to report a security vulnerability.

## License

Copyright © 2025 Casey Link casey@outskirtslabs.com

Distributed under the [MIT License](./LICENSE)

## Security policy

# Security policy

## Advisories

All security advisories will be posted
https://github.com/outskirtslabs/sops/security/advisories[on
GitHub].

## Reporting a vulnerability

Please report possible security vulnerabilities
https://github.com/outskirtslabs/sops/security/advisories[via
GitHub], or by emailing me at `casey@outskirtslabs.com`. You may encrypt
emails with [my public PGP key](https://casey.link/pgp.asc).

For the organization-wide security policy, see
[Outskirts Labs Security Policy](https://docs.outskirtslabs.com/security-policy).

Thank you!

— [Casey Link](https://casey.link)