Skill

sops-encrypt

Encrypts .env files using SOPS + age by converting dotenv to YAML to avoid SOPS bug #1435. Auto-detects unencrypted files in sops-setup projects.

security

npx claudepluginhub joaquimscosta/arkhe-claude-plugins --plugin devtools

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Encrypt `.env` files by converting to YAML and encrypting with SOPS + age.

SKILL.md

Similar Skills

sops-setup

Sets up SOPS + age encryption for sharing .env files securely across machines. Detects existing state, installs tools, generates age keys, creates .sops.yaml, encrypts as YAML.

6 files

devtools

manage-secrets-env

Manages full lifecycle of secrets and environment variables: decides placement (constant, .env, CI secret, env var), scaffolds .env.example/.gitignore, add/update/rotate/remove/migrate/audit/provision across envs. Language-agnostic.

5 files1 tool

vibesubin

managing-environment-configurations

1.9k

Manages configs across dev/staging/prod with .env files, Kubernetes ConfigMaps/Secrets, AWS SSM. Audits values, encrypts secrets via sops, validates schemas, detects drift, enables promotion workflows.

4 files6 tools

environment-config-manager

Stats

Parent Repo Stars10

Parent Repo Forks1

Last CommitMar 21, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SOPS Encrypt

Encrypt .env files by converting to YAML and encrypting with SOPS + age.

Why YAML? SOPS dotenv store has a known bug (#1435) that corrupts backslash and \n sequences. The helper script converts dotenv→YAML before encryption.

Workflow

Detect current state:

python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>

Verify prerequisites:

tools.sops.installed must be true — if not, tell user to run /devtools:sops-setup
project.sops_yaml.exists must be true — if not, tell user to run /devtools:sops-setup
age_key.exists must be true — if not, tell user to run /devtools:sops-setup

Show unencrypted .env files from project.env_files. If empty, report "No .env files found to encrypt" and exit.

Use AskUserQuestion (multiSelect: true) — which files to encrypt. List each .env* file. If a corresponding .enc.yaml file already exists, note it will be overwritten.

Encrypt each selected file (convert dotenv→YAML, then encrypt):

python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-yaml <file> > <file>.enc.yaml.tmp
sops --encrypt <file>.enc.yaml.tmp > <file>.enc.yaml
rm <file>.enc.yaml.tmp

Example: .env.local → .env.local.enc.yaml

Verify each encrypted file exists and is non-empty.

Summary:

| File | Encrypted To | Status |
|------|-------------|--------|
| .env.local | .env.local.enc.yaml | done |
| .env.production | .env.production.enc.yaml | done |

Remind user to commit the .enc.yaml files.

Key Rules

Always verify .sops.yaml exists before attempting encryption

Always convert dotenv→YAML before encrypting (use the helper script)

Warn if an .enc.yaml file will be overwritten

Never delete the original .env file — only create the .enc.yaml copy

Clean up .tmp files even if encryption fails