1、安装工具

sudo apt update
sudo apt install gnupg -y
wget https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops 
chmod +x /usr/local/bin/sops

2、生成加密文件

gpg --full-generate-key

详情如下

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
…
选择默认 (1)，按回车。

接下来是设置密钥长度，推荐使用 4096：
What keysize do you want? (2048)
4096

再设置有效期，比如：
Key is valid for? (0)
0 # 0 表示永久

再输入你的身份信息：
Name: 你的名字（比如 DevOps Admin）
Email: 用来识别密钥的邮箱地址（比如 devops@example.com）
Comment: 可以留空

然后确认并设置一个密钥密码。这个地方会要求输入两次，都是输完按回车键

如下示例

# gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Please select what kind of key you want:(1) RSA and RSA (default)(2) DSA and Elgamal(3) DSA (sign only)(4) RSA (sign only)(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.0 = key does not expire<n>  = key expires in n days<n>w = key expires in n weeks<n>m = key expires in n months<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) yGnuPG needs to construct a user ID to identify your key.Real name: admin
Email address: admin@example.com
Comment: 
You selected this USER-ID:"admin <admin@example.com>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 80FD02B101FD87A9 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/2EBCED7EB8AAB81DFAD604CB80FD02B101FD87A9.rev'
public and secret key created and signed.pub   rsa4096 2025-04-16 [SC]2EBCED7EB8AAB81DFAD604CB80FD02B101FD87A9
uid                      admin <admin@example.com>
sub   rsa4096 2025-04-16 [E]

3、查看你生成的密钥指纹（Fingerprint）

# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2025-04-16 [SC]2EBCED7EB8AAB81DFAD604CB80FD02B101FD87A9
uid           [ultimate] admin <admin@example.com>
sub   rsa4096 2025-04-16 [E]

上面那串 2EBC… 就是你用于后续 .sops.yaml 配置的 PGP key ID

4、配置 .sops.yaml

# cat .sops.yaml

creation_rules:- path_regex: secrets-.*\.yamlpgp: "2EBCED7EB8AAB81DFAD604CB80FD02B101FD87A9"

确保 pgp 后面的值与你上一步看到的 key fingerprint 一致

5、测试加密文件
1）创建明文加密文件

# cat secrets-dev.yaml 
config_secret:db:use: adminpasswd: "Aa123456"

2）加密操作

# sops -e secrets-dev.yaml > secrets-dev.enc.yaml

3）查看加密后文件内容

# cat secrets-dev.enc.yaml 
config_secret:db:use: ENC[AES256_GCM,data:JKhLeJY=,iv:pTOXYAYGlEk0Ag7qUveaxJB9kUhdzrFM1X12qazlgb8=,tag:CLG0PygT5nX+QakMYX9ZbQ==,type:str]passwd: ENC[AES256_GCM,data:HGsPNph7LWk=,iv:Z20Z4MLw/AqpMsSFOCiwTuQ73pPj8OEp12NR5YmsAsg=,tag:tiRYys7lpcpe3N5levxvsQ==,type:str]
sops:lastmodified: "2025-04-16T07:57:12Z"mac: ENC[AES256_GCM,data:szEvsHuxR65dASr2SxVxgbZ+CJ9mPvROPy42KngFLnpASW7a6e8w6R1+SBOuPulJfEjHWX5Th1LEWhPVbwd5St5lgQD16jVBKEEbXDvlYQ5++0xZ2TG62HjaCAD2V9aKwt3MHC+wJr2xBDyVrkHqLvgN/wtleedTGNm5xQ35MVg=,iv:+APVv4kCbdf/tE1e3uFbUoBI1LParkoHU8dXHHAP42s=,tag:GznQUbGd4mj3yfyF3+GX8w==,type:str]pgp:- created_at: "2025-04-16T07:57:12Z"enc: |------BEGIN PGP MESSAGE-----hQIMA4AJcCK8KwnfAQ/8CzCfLAJHtCzS9RcyjNzUKZx86PR69B4iSMwpP7BfNKboggkTwsfeI/bfKtck653Xj4gnJFVbmxOzIhwtD7MIqCdrHvS95dMLB2f9LJu4YiNnfCUvIUEWsIJG6TYwqniW/rxC/9wRb0M9Nv3lKcA2ozwDDNElLVD3D5WsTMxf5O9X6k8w67ZBmmQ/tIEfTwZj3cop/WaO6uPaZf8fs93dixkjHqRLjpkjhZgKeCiu1b/9UgQNbzJPqV/+m8JgsjSq+HQUkdFHa9I/C8A7pTDCPPFqVY2uxMCUnc2yq9iechPXoHQxJgPxJH2t4/v5Z8js28GlGNAeOduUeNn1LyeA8o50BlznnmRcLDlHcaSdlPSaT6QbzKQbbWVADI1DAd8PclqdEWFIPiywdPs3WSUFGjGykUCpoGGNLngVR/71fRAJ1TLMd/Co5PQoNRfG8H+4COLWqNIg47XJWZrUcNZtNtY/VdBHBoZ/RrXNxhuBWNtLrkcFv0j0iJ5EpUPfLHnfdtA3rYjq9cr20wahA4m45ATMxSMn+A9Uqlf/C2xcBgYPYvT6xE+tpTqffV2ykEolMJrErVm7U+CbQgOK4s+FR6S70aCyWe3rHkummEc44S2UML90A+rC6IF4bsZwyEnckWjVG8uDeOQ2BV3VbTiebTPSoWnxoH9cXA2D+oSA1wLSXgGOMFa4TiFLK4F7F8gSxNAvKVSIuz+1sqdTbUuwn+vSNYIhd4AHZuiSXLkY3QnSdfEX8ZvkaLRL+ZFNOuEfZ/xVLNruStpvzKwZ/ApZ8t4KLgBAtZtZ/t+Z0Nih8WI==mz3B-----END PGP MESSAGE-----fp: 2EBCED7EB8AAB81DFAD604CB80FD02B101FD87A9unencrypted_suffix: _unencryptedversion: 3.10.2

4）创建一个不加密的明文文件

# cat values.yaml
config:db:host: localhostport: "5432"name: observablesslmode: disable

5）创建需要创建secrent的yaml文件

# cat secrets.yaml 
apiVersion: v1
kind: Secret
metadata:name: {{ include "project-api-server.fullname" . }}labels:{{- include "project-api-server.labels" . | nindent 4 }}
type: Opaque
stringData:service.conf: |title = "project-api-server"[project-api]listen = ":{{ .Values.app.port }}"dbobservable = "postgres://{{ .Values.config_secrets.db.user}}:{{ .Values.config_secrets.db.passwd }}@{{ .Values.config.db.host }}:{{ .Values.config.db.port }}/{{ .Values.config.db.name }}?sslmode={{ .Values.config.db.sslmode }}"schema = "rs"

6）我们可以直接解密

helm secrets decrypt secrets-test.yaml

或者

#导入解密密钥ln -s /root/.gnupg $HOME && ln -s /root/.local $HOME
# helm更新的时候直接解密helm secrets $args upgrade $PROJECT $PROJECT --install \-n $ns \-f $PROJECT/secrets-$ENV.yaml