This project demonstrates how to configure a Mise environment with an encrypted .env file using SOPS and AGE.
- Encrypted Secrets Management: Securely manage secrets in
.env.sops.yamlusing SOPS and AGE. - Mise Integration: Automate tasks and environment setup with Mise.
.env.sops.yaml # Tracked **secret** environment variables (initially plaintext; encrypted after setup is completed)
.env.tracked # Tracked **non-sensitive** environment variables
.gitignore # Git ignore rules for sensitive files
.sops.yaml # SOPS configuration
keys.age # Encrypted AGE key file (gitignored)
keys.txt # Plaintext AGE key file (gitignored)
mise.toml # Mise configuration
README.md # Project documentation
scripts/ # Helper scripts
generate-age-keypair.sh # Script to generate AGE keypair
Ensure that Mise is installed:
Other dependencies (SOPS and AGE) are installed via Mise. Linked for reference only.
-
Clone the Repository:
git clone <repository-url> cd Demo-Mise-SOPS-Age
-
Initialise Mise
mise trust mise install
-
Generate AGE Keypair: Run the following Mise task to generate an AGE keypair.
The key generation script automatically validates the SOPS configuration by encrypting and decrypting a test file.mise run generate-age-keypair
-
Add Public Key to SOPS Configuration: Copy the public key output from the key generation step and add it to
.sops.yamlunder theagesection. -
Encrypt Secrets: Encrypt the
.env.sops.yamlfile using the following command. This only needs to occur once.mise run encrypt
-
Encrypt Secrets:
mise run encrypt
-
Decrypt Secrets (for debugging only):
mise run decrypt
-
Edit Encrypted Secrets:
mise run edit-encrypt
- Ensure
keys.txtis never committed to version control. It is explicitly ignored in.gitignore.
This project is licensed under the MIT License. See the LICENSE file for details.