Skill

sops-decrypt

Decrypts SOPS-encrypted YAML files (*.enc.yaml) back to plaintext .env format using sops and age keys. Converts YAML to dotenv via Python script. Checks prerequisites and warns on overwrites. Triggers on 'decrypt env', 'sops decrypt'.

Python

Bash

security

devops

npx claudepluginhub joaquimscosta/arkhe-claude-plugins --plugin devtools

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Decrypt `.enc.yaml` files back to their plaintext `.env` originals.

SKILL.md

Similar Skills

sops-encrypt

Encrypts .env files using SOPS + age by converting dotenv to YAML to avoid SOPS bug #1435. Auto-detects unencrypted files in sops-setup projects.

devtools

encrypting-and-decrypting-data

1.9k

Validates encryption implementations, audits crypto algorithms, and verifies key management in codebases and configs. Activates for data security reviews.

4 files8 tools

encryption-tool

managing-environment-configurations

1.9k

Manages configs across dev/staging/prod with .env files, Kubernetes ConfigMaps/Secrets, AWS SSM. Audits values, encrypts secrets via sops, validates schemas, detects drift, enables promotion workflows.

4 files6 tools

environment-config-manager

Stats

Parent Repo Stars10

Parent Repo Forks1

Last CommitMar 21, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SOPS Decrypt

Decrypt .enc.yaml files back to their plaintext .env originals.

Workflow

Detect current state:

python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>

Verify prerequisites:

tools.sops.installed must be true — if not, tell user to install: brew install sops (macOS) or download binary (Linux)
age_key.exists must be true — if not, guide user to place their age private key at the expected path, or set SOPS_AGE_KEY_FILE env var

Show encrypted files from project.encrypted_files. If empty, report "No encrypted files found" and exit.

Use AskUserQuestion (multiSelect: true) — which files to decrypt. For each, show the target output name (e.g., .env.local.enc.yaml → .env.local). If the target file already exists, note it will be overwritten.

Decrypt each selected file (decrypt YAML, then convert to dotenv):

sops --decrypt <file>.enc.yaml > <file>.dec.yaml.tmp
python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-dotenv <file>.dec.yaml.tmp > <target-env-file>
rm <file>.dec.yaml.tmp

Where <target-env-file> is the encrypted filename with .enc.yaml suffix removed. Example: .env.local.enc.yaml → .env.local

Verify each decrypted file exists and is non-empty.

Summary:

| Encrypted File | Decrypted To | Status |
|---------------|--------------|--------|
| .env.local.enc.yaml | .env.local | done |

Remind user: Do NOT commit the decrypted .env files — they should be in .gitignore.

Key Rules

Always check that the age private key exists before attempting decryption

Always convert YAML→dotenv after decrypting (use the helper script)

Warn if a decrypted file will overwrite an existing one

Clean up .tmp files even if decryption fails

After decryption, remind user that plaintext .env files must stay out of git

If decryption fails with "no identity matched", the machine's key is not authorized — suggest running /devtools:sops-add-key on a machine that has access