Sopsy is a pragmatic wrapper around Mozilla SOPS allowing decryption of secrets at runtime.
The goal of the library is to offer a simple solution for bringing encrypted secrets into your Elixir application, especially suited for self-hosting (VPS) and easy-to-manage environments (e.g. doesn't require a Vault or a managed service)
- Mozilla SOPS CLI must be installed on the system and available in the PATH.
- The Elixir application must have read access to the SOPS encrypted file.
- Use environment variables or
.sops.yamlconfiguration file to configure the sops binary as needed.
You can call ExSopsy.load_secrets passing a path to a SOPS encrypted file and the format of the file.
If decryption is successful, the function returns a tuple {:ok, Map.t} with the decrypted secret keys.
# config/runtime.exs
if config_env() == :prod do
case ExSopsy.load_secrets("priv/secrets.enc.json", :json) do
{:ok, secrets} ->
config :my_app, MyApp.Repo,
username: secrets["db_user"],
password: secrets["db_password"]
config :my_app, MyAppWeb.Endpoint,
secret_key_base: secrets["secret_key_base"]
{:error, reason} ->
raise "Failed to load secrets: #{inspect(reason)}"
end
endThe library is usable from any module in the application.
Add ex_sopsy to your list of dependencies in mix.exs:
def deps do
[
{:ex_sopsy, "~> 1.0.1"}
]
endCopyright 2025 Konstantin [email protected]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.