A ZSH plugin for Mozilla SOPS that provides one-click encryption and decryption of files in the current directory and subdirectories.

• SOPS must be installed and configured
• fd optional but recommended for faster file searching.

• Automatically detect and encrypt/decrypt files using standardized naming patterns
• One-click encryption/decryption for all matching files in a directory and subdirectories
• Single file encryption/decryption with validation
• File naming convention: config-secret.yaml → config-secret.enc.yaml
• Flexible file search using either find or fd command
• Environment variable configuration for easy customization

# Clone repository
git clone https://github.com/chaosimpact/sops-crypt ~/.oh-my-zsh/custom/plugins/sops-crypt
# Add to plugins list in .zshrc
plugins=(... sops-crypt)

Add to your .zshrc:

plugins=(... sops-crypt)

antigen bundle chaosimpact/sops-crypt

The plugin provides the following commands:

• sops-encrypt-all [--force|-f] [directory] - Encrypt all matching files in directory and subdirectories
• sops-decrypt-all [directory] - Decrypt all encrypted files in directory and subdirectories
• sops-encrypt [--force|-f] <file> - Encrypt a single file
• sops-decrypt <file> - Decrypt a single file
• sops-crypt-config - Show current configuration

The --force or -f flag allows you to re-encrypt all files, even if they haven't been modified since the last encryption.

The plugin uses a specific naming convention:

• Secret files: config-secret.yaml
• Encrypted files: config-secret.enc.yaml

Only files that follow these naming patterns will be automatically detected for encryption/decryption.

# Create a new secret file
echo "password: mysecret123" > config-secret.yaml
# Encrypt all matching files in current directory and subdirectories
sops-encrypt-all
# Encrypt all matching files in specific directory
sops-encrypt-all ./configs
# Force re-encryption of all files (ignoring timestamp checks)
sops-encrypt-all --force
# Force re-encryption of files in specific directory
sops-encrypt-all --force ./configs
# Decrypt all encrypted files in current directory and subdirectories
sops-decrypt-all
# Encrypt a single file
sops-encrypt secrets-secret.yaml
# Force re-encryption of a single file
sops-encrypt --force secrets-secret.yaml
# Decrypt a single file
sops-decrypt secrets-secret.enc.yaml

The plugin comes with the following default settings:

You can override the default settings by using environment variables with the same names as the parameters in the table above. The environment variables will take precedence over the default settings when the plugin is loaded.

We recommend using direnv to manage project-specific environment variables. With direnv, you can create a .envrc file in your project directory:

# Example .envrc file
export SOPS_CRYPT_FILE_PATTERNS="*.yaml *.json *.env"
export SOPS_CRYPT_SECRET_SUFFIX="-mysecret"
export SOPS_CRYPT_IGNORE_PATTERNS="node_modules .git dist build"
export SOPS_CRYPT_SEARCH_TOOL="fd"

This approach allows you to have different settings for different projects, and direnv automatically loads and unloads these environment variables when you enter and exit the project directory.

The plugin supports two search tools:

• fd: A modern and faster alternative to find
• find: The traditional Unix find command

By default, the plugin will use fd if available, and fall back to find otherwise. You can control this behavior with the following settings:

• auto: Automatically use fd if available, otherwise fall back to find (default)
• fd: Use fd exclusively (will fall back to find if fd is not installed)
• find: Always use find

To check your current configuration:

sops-crypt-config

This will show:

• Current file patterns
• Secret suffix setting
• Encrypted infix setting
• Ignore patterns
• Example file naming
• How to override with environment variables

MIT