mise-en-place

Appearance

sops experimental

mise reads encrypted secret files and makes values available as environment variables via env._.file.

  • Formats: .env.json, .env.yaml, .env.toml
  • Encryption: sops backed by age

Example

json
{
  "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
  "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
mise.toml
toml
[env]
_.file = ".env.json"

mise will automatically decrypt the file if it is sops-encrypted.

Encrypt with sops

INFO

Currently age is the only sops encryption method supported.

  1. Install tools: mise use -g sops age

  2. Generate an age key and note the public key:

sh
age-keygen -o ~/.config/mise/age.txt
# Public key: <public key>
  1. Encrypt the file:
sh
sops encrypt -i --age "<public key>" .env.json

TIP

The -i overwrites the file. The encrypted file is safe to commit. Set SOPS_AGE_KEY_FILE=~/.config/mise/age.txt or MISE_SOPS_AGE_KEY_FILE=~/.config/mise/age.txt to decrypt/edit with sops.

  1. Reference it in config:
toml
[env]
_.file = ".env.json"

Now mise env exposes the values.

Environment Variables

mise supports both mise-specific environment variables and standard SOPS ones:

Mise-specific variables (highest priority):

  • MISE_SOPS_AGE_KEY - Age private key content directly
  • MISE_SOPS_AGE_KEY_FILE - Path to age private key file

Standard SOPS variables (fallback):

  • SOPS_AGE_KEY_FILE - Path to age private key file
  • SOPS_AGE_KEY - Age private key content directly

Precedence order:

  1. MISE_SOPS_AGE_KEY (mise setting or env var, checked first)
  2. MISE_SOPS_AGE_KEY_FILE or sops.age_key_file (mise setting or env var)
  3. SOPS_AGE_KEY_FILE (standard)
  4. SOPS_AGE_KEY (standard, direct key content)
  5. Default: ~/.config/mise/age.txt

This allows you to override SOPS settings specifically for mise while keeping your standard SOPS configuration intact for other tools.

Redaction

Mark secrets from files as sensitive:

toml
[env]
_.file = { path = ".env.json", redact = true }

Work with redacted values:

bash
mise env --redacted
mise env --redacted --values

CI masking (GitHub Actions)

yaml
- name: Mask secrets
  run: |
    for value in $(mise env --redacted --values); do
      echo "::add-mask::$value"
    done
- name: Use secrets safely
  run: |
    mise exec -- ./deploy.sh

If you use mise-action, values marked redact = true are masked automatically.

Settings

sops.age_key

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_KEY
  • Default: None

The age private key to use for sops secret decryption. Takes precedence over standard SOPS_AGE_KEY environment variable.

sops.age_key_file

  • Type: Path
  • Env: MISE_SOPS_AGE_KEY_FILE
  • Default: ~/.config/mise/age.txt

Path to the age private key file for sops secret decryption. Takes precedence over standard SOPS_AGE_KEY_FILE environment variable.

sops.age_recipients

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_RECIPIENTS
  • Default: None

The age public keys to use for sops secret encryption.

sops.rops

  • Type: Bool
  • Env: MISE_SOPS_ROPS
  • Default: true

Use rops to decrypt sops files. Disable to shell out to sops which will slow down mise but sops may offer features not available in rops.

sops.strict

  • Type: Bool
  • Env: MISE_SOPS_STRICT
  • Default: true

If true, fail when sops decryption fails (including when sops is not available, the key is missing, or the key is invalid). If false, skip decryption and continue in these cases.

Licensed under the MIT License. Maintained by @jdx and friends.

Copyright © 2026 @jdx