πŸ”‘ 2. Generate an age Keypair age-keygen -o secrets/age.key This will output something like: # created: 2025-06-02T22:00:00Z # public key: age1abcdefghijk... Copy that public key somewhere β€” you’ll need it for encrypting. βœ… You should now have: secrets/ β”œβ”€β”€ age.key # keep this safe and private! πŸ“ 3. Create Encrypted Secrets File sops --age age1abcdefghijk... secrets/secrets.yaml This opens a YAML file in your $EDITOR. Add secrets like: forgejo-admin-password: "my-super-secret-password" Save and close the file β€” it’s now encrypted using the public key. βœ… Now you should have: secrets/ β”œβ”€β”€ age.key β”œβ”€β”€ secrets.yaml # encrypted file (safe to commit) You can commit secrets.yaml, but do not commit age.key unless you're OK with putting it on a VM. πŸ§ͺ Test Decryption Locally export SOPS_AGE_KEY_FILE=secrets/age.key To test: sops -d secrets/secrets.yaml To edit: sops secrets/secrets.yaml [plasmagoat@forgejo:~]$ sudo chmod 400 /etc/sops/age.key && sudo chown root:root /etc/sops/age.key