Skip to content

Encryption

Jump to bottom
Kim Oliver Drechsel edited this page Jul 16, 2025 · 20 revisions

Doco-CD supports the encryption of sensitive data in your deployment files with SOPS.

Supported file formats

SOPS supports files in the following formats:

  • YAML files with the .yaml or .yml extension
  • JSON files with the .json extension
  • Dotenv files with the .env extension
  • Ini files with the .ini extension
  • Binary/text files (default format)

Usage with SOPS and age

Note

I recommend to use SOPS with age for encrypting your deployment files.

For this, you need to

  1. Install age on your system

  2. Create an age key pair.

    age-keygen -o sops_age_key.txt

  3. Encrypt your files with SOPS using the age public key, see SOPS: Encrypting using age.

    sops encrypt --age <age_public_key> test.yaml > test.enc.yaml

  4. Set one of the following environment variables below for doco-cd to use the age key with SOPS:

    Key Type Description
    SOPS_AGE_KEY string The age secret key (See the SOPS docs)
    SOPS_AGE_KEY_FILE string The path inside the container to the file containing the age secret key (e.g. /sops_age_key.txt)

    I recommend using the SOPS_AGE_KEY_FILE environment variable and mount the age secret key as a Docker secret. See the example below for how to do this.

    More different options like using SOPS with PGP/GPG can be found in the SOPS documentation.

  5. When triggering a deployment, doco-cd will automatically detect the SOPS-encrypted files and decrypt them using the provided age key.
    It is important that you give your files the correct file extension, so that the correct file format is used during the decryption process.

Note

You can also encrypt only parts of a file and keep the rest in plaintext. See Encrypting only parts of a file in the SOPS docs for more information.

Example setup with SOPS and age

Doco-CD configuration

Example of a docker-compose.yml file using SOPS with age:

Use the docker-compose.yml as the base reference and add the following lines to it:

# docker-compose.yml
services:
  app:
    environment:
      SOPS_AGE_KEY_FILE: /run/secrets/sops_age_key # docker secrets are always mounted to /run/secrets/ if no target is specified
    secrets:
      - sops_age_key

secrets:
  sops_age_key:
    file: sops_age_key.txt

Deployment with a SOPS-encrypted file

First, I use my age public key from the previously generated key pair to encrypt my secrets.env file:

# secrets.env
DB_PASSWORD=some-secret-password

Generate the encrypted file with SOPS:

sops encrypt --age age1g3lcl... secrets.env > secrets.enc.env

You can later edit the encrypted file with sops edit secrets.enc.env

Then, I set the encrypted file in my docker-compose.yml file:

# docker-compose.yml
services:
  app:
    env_file:
      - secrets.enc.env

When I now trigger a deployment, doco-cd will automatically decrypt the secrets.enc.env file using the provided age key and deploy the container with the environment variables in it.

GitHub Release GitHub Release Date

Doco CD Logo
Clone this wiki locally