SOPS Encrypt

Encrypt

.env

files by converting to YAML and encrypting with SOPS + age.

Why YAML? SOPS dotenv store has a known bug (#1435) that corrupts backslash and

\n

sequences. The helper script converts dotenv→YAML before encryption.

Workflow

1. Detect current state:

   python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>
   

2. Verify prerequisites:

   • tools.sops.installed

     must be true — if not, tell user to run

     /devtools:sops-setup

   • project.sops_yaml.exists

     must be true — if not, tell user to run

     /devtools:sops-setup

   • age_key.exists

     must be true — if not, tell user to run

     /devtools:sops-setup

3. Show unencrypted .env files from

   project.env_files

   . If empty, report "No .env files found to encrypt" and exit.

4. Use

   AskUserQuestion

   (multiSelect: true) — which files to encrypt. List each

   .env*

   file. If a corresponding

   .enc.yaml

   file already exists, note it will be overwritten.

5. Encrypt each selected file (convert dotenv→YAML, then encrypt):

   python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/dotenv_yaml.py to-yaml <file> > <file>.enc.yaml.tmp
   sops --encrypt <file>.enc.yaml.tmp > <file>.enc.yaml
   rm <file>.enc.yaml.tmp
   

   Example:

   .env.local

   →

   .env.local.enc.yaml

6. Verify each encrypted file exists and is non-empty.

7. Summary:

   | File | Encrypted To | Status |
   |------|-------------|--------|
   | .env.local | .env.local.enc.yaml | done |
   | .env.production | .env.production.enc.yaml | done |
   

   Remind user to commit the

   .enc.yaml

   files.

Key Rules

• Always verify

  .sops.yaml

  exists before attempting encryption
• Always convert dotenv→YAML before encrypting (use the helper script)
• Warn if an

  .enc.yaml

  file will be overwritten
• Never delete the original

  .env

  file — only create the

  .enc.yaml

  copy
• Clean up

  .tmp

  files even if encryption fails