docs/environments/secrets/sops.md
mise reads encrypted secret files and makes values available as environment variables via env._.file.
{
"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
"AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
[env]
_.file = ".env.json"
mise will automatically decrypt the file if it is sops-encrypted.
:::: info Currently age is the only sops encryption method supported. ::::
Install tools: mise use -g sops age
Generate an age key and note the public key:
age-keygen -o ~/.config/mise/age.txt
# Public key: <public key>
sops encrypt -i --age "<public key>" .env.json
:::: tip
The -i overwrites the file. The encrypted file is safe to commit. Set SOPS_AGE_KEY_FILE=~/.config/mise/age.txt or MISE_SOPS_AGE_KEY_FILE=~/.config/mise/age.txt to decrypt/edit with sops.
::::
[env]
_.file = ".env.json"
Now mise env exposes the values.
mise supports both mise-specific environment variables and standard SOPS ones:
Mise-specific variables (highest priority):
MISE_SOPS_AGE_KEY - Age private key content directlyMISE_SOPS_AGE_KEY_FILE - Path to age private key fileStandard SOPS variables (fallback):
SOPS_AGE_KEY_FILE - Path to age private key fileSOPS_AGE_KEY - Age private key content directlyPrecedence order:
MISE_SOPS_AGE_KEY (mise setting or env var, checked first)MISE_SOPS_AGE_KEY_FILE or sops.age_key_file (mise setting or env var)SOPS_AGE_KEY_FILE (standard)SOPS_AGE_KEY (standard, direct key content)~/.config/mise/age.txtThis allows you to override SOPS settings specifically for mise while keeping your standard SOPS configuration intact for other tools.
Mark secrets from files as sensitive:
[env]
_.file = { path = ".env.json", redact = true }
Work with redacted values:
mise env --redacted
mise env --redacted --values
- name: Mask secrets
run: |
for value in $(mise env --redacted --values); do
echo "::add-mask::$value"
done
- name: Use secrets safely
run: |
mise exec -- ./deploy.sh
If you use mise-action, values marked redact = true are masked automatically.