Key Groups
By default, SOPS encrypts the data key for a file with each of themaster keys, such that if any of the master keys is available, thefile can be decrypted. However, it is sometimes desirable to requireaccess to multiple master keys in order to decrypt files. This can beachieved with key groups.
Auditing
Sometimes, users want to be able to tell what files were accessed bywhom in an environment they control. For this reason, SOPS cangenerate audit logs to record activity on encrypted files. Whenenabled, SOPS will write a log entry into a pre-configured PostgreSQLdatabase when a file is decrypted.
Key Service
There are situations where you might want to run SOPS on a machinethat doesn't have direct access to encryption keys such as PGP keys.The sops key service allows you to forward a socket so that SOPS canaccess encryption keys stored on a remote machine.
Security
The security of the data stored using SOPS is as strong as the weakestcryptographic mechanism. Values are encrypted using AES256_GCM whichis the strongest symmetric encryption algorithm known today. Data keysare encrypted in either KMS, which also uses AES256_GCM, or PGP whichuses either RSA or ECDSA keys.
