{
  "title": "SOPS Encrypt a YAML File with AWS KMS",
  "description": "Example of encrypting a secrets YAML file using SOPS with AWS KMS",
  "command": "sops --encrypt --kms arn:aws:kms:us-east-1:123456789012:key/mrk-abc123def456 secrets.yml > secrets.enc.yml",
  "input_file": "secrets.yml",
  "input_content": {
    "database_password": "s3cr3t-p@ssw0rd",
    "api_key": "sk-live-abc123xyz456",
    "database_host": "db.example.com",
    "database_port": 5432
  },
  "output_file": "secrets.enc.yml",
  "output_content": {
    "database_password": "ENC[AES256_GCM,data:abc123xyz==,iv:AAABBBCCC==,tag:XXXYYY==,type:str]",
    "api_key": "ENC[AES256_GCM,data:def456uvw==,iv:DDDEEEFFF==,tag:ZZZAAA==,type:str]",
    "database_host": "db.example.com",
    "database_port": 5432,
    "sops": {
      "kms": [
        {
          "arn": "arn:aws:kms:us-east-1:123456789012:key/mrk-abc123def456",
          "created_at": "2026-05-02T10:00:00Z",
          "enc": "AQICAHi...(base64-encoded-data-key)...==",
          "aws_profile": ""
        }
      ],
      "lastmodified": "2026-05-02T10:00:00Z",
      "mac": "ENC[AES256_GCM,data:macdata==,iv:maciv==,tag:mactag==,type:str]",
      "version": "3.9.0"
    }
  },
  "notes": [
    "Keys (database_host, database_port) remain unencrypted",
    "String values are encrypted with AES256-GCM",
    "Integer values are encrypted and will be decrypted as integers",
    "The sops metadata block stores key references for decryption"
  ]
}