gpg results from the CPAN

File-SOPS
view release on metacpan or search on metacpan
);

# File operations
File::SOPS->encrypt_file(
    input      => 'secrets.yaml',
    output     => 'secrets.enc.yaml',
    recipients => \@recipients,
);

File::SOPS->decrypt_file(
    input      => 'secrets.enc.yaml',
    output     => 'secrets.yaml',
    identities => \@identities,
);

# In-place encryption
File::SOPS->encrypt_in_place('secrets.yaml', recipients => \@recipients);

# Edit (decrypt, edit, re-encrypt)
File::SOPS->edit('secrets.enc.yaml', identities => \@identities);

# Extract single value
my $password = File::SOPS->extract(
    file       => 'secrets.enc.yaml',
    path       => '["database"]["password"]',
    identities => \@identities,
);

# Rotate data key
File::SOPS->rotate('secrets.enc.yaml', identities => \@identities);
```

## Config File (.sops.yaml)

```yaml
creation_rules:
  - path_regex: \.enc\.yaml$
    age: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
  - path_regex: secrets/.*\.yaml$
    age: >-
      age1...,
      age1...
```

## Dependencies

```perl
requires 'Crypt::Age';        # age encryption backend
requires 'CryptX';            # AES-GCM for value encryption
requires 'YAML::XS';          # YAML parsing
requires 'JSON::MaybeXS';     # JSON parsing
```

## Encryption Backends (Phase 1)

Start with **age only**:
- Uses `Crypt::Age` for data key encryption
- Most common for local/team use

Later phases:
- PGP (via Crypt::OpenPGP or gpg CLI)
- AWS KMS
- GCP KMS
- Azure Key Vault
- HashiCorp Vault

## Cryptographic Operations

| Operation | Algorithm | Library |
|-----------|-----------|---------|
| Data key encryption | age (X25519 + ChaCha20-Poly1305) | Crypt::Age |
| Value encryption | AES-256-GCM | CryptX |
| MAC | AES-256-GCM over structure | CryptX |

## Special Keys

- `_unencrypted` suffix: Values not encrypted but included in MAC
- `sops` key: Metadata, always unencrypted

## Files to Create

```
lib/
â”œâ”€â”€ File/
â”‚   â”œâ”€â”€ SOPS.pm                 # Main interface
â”‚   â””â”€â”€ SOPS/
â”‚       â”œâ”€â”€ Encrypted.pm        # Encrypted value parsing/generation
â”‚       â”œâ”€â”€ Metadata.pm         # SOPS metadata handling
â”‚       â”œâ”€â”€ Format/
â”‚       â”‚   â”œâ”€â”€ YAML.pm
â”‚       â”‚   â”œâ”€â”€ JSON.pm
â”‚       â”‚   â”œâ”€â”€ ENV.pm
â”‚       â”‚   â””â”€â”€ INI.pm
â”‚       â””â”€â”€ Backend/
â”‚           â””â”€â”€ Age.pm          # age encryption backend
t/
â”œâ”€â”€ 00-load.t
â”œâ”€â”€ 01-encrypt-decrypt.t
â”œâ”€â”€ 02-yaml.t
â”œâ”€â”€ 03-json.t
â””â”€â”€ 04-interop.t                # Test with sops CLI
```

## References

- https://github.com/getsops/sops
- https://getsops.io/docs/
- https://blog.gitguardian.com/a-comprehensive-guide-to-sops/
( run in 1.009 second using v1.01-cache-2.11-cpan-df04353d9ac )