OpenSkillIndex← back to search
claude-code

Arkhe-claude-plugins sops-decrypt

install
source · Clone the upstream repo
git clone https://github.com/joaquimscosta/arkhe-claude-plugins
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/joaquimscosta/arkhe-claude-plugins "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/devtools/skills/sops-decrypt" ~/.claude/skills/joaquimscosta-arkhe-claude-plugins-sops-decrypt && rm -rf "$T"
manifest: plugins/devtools/skills/sops-decrypt/SKILL.md
source content

SOPS Decrypt

Decrypt 

.enc.yaml
files back to their plaintext 
.env
originals.

Workflow

  1. Detect current state:

    python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>

  2. Verify prerequisites:

    • tools.sops.installed
      must be true — if not, tell user to install: 
      brew install sops
      (macOS) or download binary (Linux)
    • age_key.exists
      must be true — if not, guide user to place their age private key at the expected path, or set 
      SOPS_AGE_KEY_FILE
      env var

  3. Show encrypted files from 

    project.encrypted_files
    . If empty, report "No encrypted files found" and exit.

  4. Use 

    AskUserQuestion
    (multiSelect: true) — which files to decrypt. For each, show the target output name (e.g., 
    .env.local.enc.yaml
    .env.local
    ). If the target file already exists, note it will be overwritten.

  5. Decrypt each selected file (decrypt YAML, then convert to dotenv):

    sops --decrypt <file>.enc.yaml > <file>.dec.yaml.tmp
python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-dotenv <file>.dec.yaml.tmp > <target-env-file>
rm <file>.dec.yaml.tmp

    Where 

    <target-env-file>
    is the encrypted filename with 
    .enc.yaml
    suffix removed. Example: 
    .env.local.enc.yaml
    .env.local

  6. Verify each decrypted file exists and is non-empty.

  7. Summary:

    | Encrypted File | Decrypted To | Status |
|---------------|--------------|--------|
| .env.local.enc.yaml | .env.local | done |

    Remind user: Do NOT commit the decrypted .env files — they should be in 

    .gitignore
    .

Key Rules

  • Always check that the age private key exists before attempting decryption
  • Always convert YAML→dotenv after decrypting (use the helper script)
  • Warn if a decrypted file will overwrite an existing one
  • Clean up 
    .tmp
    files even if decryption fails
  • After decryption, remind user that plaintext 
    .env
    files must stay out of git
  • If decryption fails with "no identity matched", the machine's key is not authorized — suggest running 
    /devtools:sops-add-key
    on a machine that has access