- Fix incorrect version number from previous release
- Add support for Azure Key Service
- Fix bug that prevented JSON escapes in input files from working
- Prevent files from being encrypted twice
- Fix empty comments not being decrypted correctly
- If keyservicecmd returns an error, log it.
- Initial sops workspace auditing support (still wip)
- Refactor Store interface to reflect operations SOPS performs
- --set now works with nested data structures and not just simple values
- Changed default log level to warn instead of info
- Avoid creating empty files when using the editor mode to create new files and not making any changes to the example files
- Output unformatted strings when using --extract instead of encoding them to yaml
- Allow forcing binary input and output types from command line flags
- Deprecate filename_regex in favor of path_regex. filename_regex had a bug and matched on the whole file path, when it should have only matched on the file name. path_regex on the other hand is documented to match on the whole file path.
- Add an encrypted-suffix option, the exact opposite of unencrypted-suffix
- Allow specifying unencrypted_suffix and encrypted_suffix rules in the .sops.yaml configuration file
- Introduce key service flag optionally prompting users on encryption/decryption
- Don't consider io.EOF returned by Decoder.Token as error
- add IsBinary: true to FileHints when encoding with crypto/openpgp
- some improvements to error messages
- Shamir secret sharing scheme support allows SOPS to require multiple master keys to access a data key and decrypt a file. See sops groups -help and the documentation in README.
- Keyservice to forward access to a local master key on a socket, similar to gpg-agent. See sops keyservice --help and the documentation in README.
- Encrypt comments by default
- Support for Google Compute Platform KMS
- Refactor of the store logic to separate the internal representation SOPS has of files from the external representation used in JSON and YAML files
- Reencoding of versions as string on sops 1.X files. WARNING this change breaks backward compatibility. SOPS shows an error message with instructions on how to solve this if it happens.
- Added command to reconfigure the keys used to encrypt/decrypt a file based on the .sops.yaml config file
- Retrieve missing PGP keys from gpg.mozilla.org
- Improved error messages for errors when decrypting files
- [major] rewrite in Go
- [medium] Support AWS KMS Encryption Contexts
- [minor] Support insertion in encrypted documents via --set
- [minor] Read location of gpg binary from SOPS_GPG_EXEC env variables
- [minor] handle $EDITOR variable with parameters
- [minor] make sure filename_regex gets applied to file names, not paths
- [minor] move check of latest version under the -V flag
- [medium] fix handling of binary data to preserve file integrity
- [minor] try to use configuration when encrypting existing files