Arkhe-claude-plugins sops-setup

install

source · Clone the upstream repo

git clone https://github.com/joaquimscosta/arkhe-claude-plugins

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/joaquimscosta/arkhe-claude-plugins "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/devtools/skills/sops-setup" ~/.claude/skills/joaquimscosta-arkhe-claude-plugins-sops-setup && rm -rf "$T"

manifest: plugins/devtools/skills/sops-setup/SKILL.md

source content

SOPS + age Setup Wizard

Interactive setup for SOPS + age encryption. Detects current state and guides through configuration.

Important: This skill uses YAML format for encrypted files (not dotenv) because SOPS has a known bug (#1435) where the dotenv store corrupts backslash and

\n

sequences on decrypt. A helper script handles dotenv↔YAML conversion transparently.

Pre-flight

Run the detection script to understand current state:

python3 ${CLAUDE_SKILL_DIR}/scripts/detect_sops.py <project-root>

Two-Phase Workflow

Phase 1: Detect

Run the detector on the project root:

python3 ${CLAUDE_SKILL_DIR}/scripts/detect_sops.py <project-root>

Summarize findings — show a status table:

Component	Status	Detail
sops binary	installed/missing	version, path
age binary	installed/missing	version, path
age key	exists/missing	public key (truncated)
.sops.yaml	exists/missing	# of authorized keys
.env files	N found	list of filenames
encrypted files	N found	list of *.enc.yaml files
.gitignore	ok/needs update	env ignored, enc.yaml not ignored

Phase 2: Configure

Walk through each missing component. Skip steps where detection shows everything is already configured.

Install tools (if
```
tools.sops.installed
```
or
```
tools.age.installed
```
is false):
- Show install commands based on
```
os
```
  field:
  - macOS:
```
brew install sops age
```
  - Linux: Show download URLs for latest binaries from GitHub releases
- After user confirms installation, re-run detector to verify
Generate age key (if
```
age_key.exists
```
is false):
- Create directory:
```
mkdir -p ~/.config/sops/age
```
- Generate key:
```
age-keygen -o ~/.config/sops/age/keys.txt
```
- Set permissions:
```
chmod 600 ~/.config/sops/age/keys.txt
```
- Display the public key and tell user to save it somewhere safe (password manager, secure note)
Generate backup key (recommended):
- Use
```
AskUserQuestion
```
  — offer to create an offline backup key for disaster recovery
- If yes:
```
age-keygen 2>&1 | tee /dev/stderr | grep "public key:" | awk '{print $NF}'
```
  Display BOTH the public key AND the full output (which includes the private key). Tell user: Copy the entire output (including the private key line starting with AGE-SECRET-KEY-) to a password manager or secure offline storage. This is your recovery key.
- The backup public key will be added to
```
.sops.yaml
```
  alongside the machine key

Create

.sops.yaml

(if

project.sops_yaml.exists

is false):

Write

.sops.yaml

with machine key + backup key (if generated):

creation_rules:
  - path_regex: (^|/)\.env\.[^/]+\.enc\.yaml$
    age: >-
      <machine-public-key>,
      <backup-public-key>

If
```
.sops.yaml
```
already exists but is missing this machine's key, offer to add it

Set up

.gitattributes

for diff-friendly encrypted files:

Add to

.gitattributes

*.enc.yaml diff=sopsdiffer

Configure git:

git config diff.sopsdiffer.textconv "sops decrypt"

This makes
```
git diff
```
show decrypted content for encrypted files

Update
```
.gitignore
```
(if needed):
- Ensure
```
.env*
```
  patterns are ignored (secrets must not be committed in plaintext)
- Ensure
```
*.enc.yaml
```
  is NOT ignored (encrypted files should be committed)
- Show proposed changes and confirm with user before writing

Encrypt files (if

project.env_files

is non-empty):

Use
```
AskUserQuestion
```
(multiSelect: true) — show detected
```
.env*
```
files

For each selected file, convert dotenv→YAML then encrypt:

python3 ${CLAUDE_SKILL_DIR}/scripts/dotenv_yaml.py to-yaml <file> > <file>.enc.yaml.tmp
sops --encrypt <file>.enc.yaml.tmp > <file>.enc.yaml
rm <file>.enc.yaml.tmp

Example:

.env.local

→

.env.local.enc.yaml

Verify each encrypted file was created successfully

Confirmation summary — show table of all actions taken:

| Step | Action | Result |
|------|--------|--------|
| Tools | sops 3.9.4, age 1.2.0 | installed |
| Key | Machine key generated | age1abc...def |
| Key | Backup key generated | age1xyz...uvw (save offline!) |
| Permissions | chmod 600 keys.txt | done |
| Config | .sops.yaml created | 2 keys authorized |
| Git | .gitattributes updated | sopsdiffer configured |
| Git | .gitignore updated | .env* ignored |
| Encrypt | .env.local → .env.local.enc.yaml | done |

## Next Steps
- Commit .sops.yaml, .gitattributes, and *.enc.yaml files to git
- On another machine: clone, install sops+age, place age key, run /devtools:sops-decrypt
- To add another machine: /devtools:sops-add-key
- To encrypt after editing .env: /devtools:sops-encrypt
- To decrypt after pulling: /devtools:sops-decrypt

Key Rules

Never overwrite existing files without asking. Always offer merge/replace/skip.
Detect first — skip steps that are already configured.
Use
AskUserQuestion
for every decision. Do not assume user preferences.
YAML format only — never use
```
--input-type dotenv
```
. Use the dotenv_yaml.py helper for conversion.
chmod 600 on age key files immediately after creation.
Display public keys after generation — user needs them for multi-machine setup.
Verify after each step — re-run relevant checks to confirm success.

References

Workflow: See WORKFLOW.md for detailed per-step flows
Examples: See EXAMPLES.md for example setup sessions
Troubleshooting: See TROUBLESHOOTING.md for common issues
Detection Script: See scripts/detect_sops.py for detection logic
Converter: See scripts/dotenv_yaml.py for dotenv↔YAML conversion
Best Practices: See references/sops-best-practices.md for research