mise-en-place

Appearance

sops experimental

mise reads encrypted secret files and makes values available as environment variables via env._.file.

  • Formats: .env.json, .env.yaml, .env.toml
  • Encryption: sops backed by age

Example

json
{
  "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
  "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
mise.toml
toml
[env]
_.file = ".env.json"

mise will automatically decrypt the file if it is sops-encrypted.

Encrypt with sops

INFO

Currently age is the only sops encryption method supported.

  1. Install tools: mise use -g sops age

  2. Generate an age key and note the public key:

sh
age-keygen -o ~/.config/mise/age.txt
# Public key: <public key>
  1. Encrypt the file:
sh
sops encrypt -i --age "<public key>" .env.json

TIP

The -i overwrites the file. The encrypted file is safe to commit. Set SOPS_AGE_KEY_FILE=~/.config/mise/age.txt to decrypt/edit with sops.

  1. Reference it in config:
toml
[env]
_.file = ".env.json"

Now mise env exposes the values.

Redaction

Mark secrets from files as sensitive:

toml
[env]
_.file = { path = ".env.json", redact = true }

Work with redacted values:

bash
mise env --redacted
mise env --redacted --values

CI masking (GitHub Actions)

yaml
- name: Mask secrets
  run: |
    for value in $(mise env --redacted --values); do
      echo "::add-mask::$value"
    done
- name: Use secrets safely
  run: |
    mise exec -- ./deploy.sh

If you use mise-action, values marked redact = true are masked automatically.

Settings

sops.age_key

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_KEY
  • Default: None

The age private key to use for sops secret decryption.

sops.age_key_file

  • Type: Path
  • Env: MISE_SOPS_AGE_KEY_FILE
  • Default: ~/.config/mise/age.txt

Path to the age private key file to use for sops secret decryption.

sops.age_recipients

  • Type: string(optional)
  • Env: MISE_SOPS_AGE_RECIPIENTS
  • Default: None

The age public keys to use for sops secret encryption.

sops.rops

  • Type: Bool
  • Env: MISE_SOPS_ROPS
  • Default: true

Use rops to decrypt sops files. Disable to shell out to sops which will slow down mise but sops may offer features not available in rops.

sops.strict

  • Type: Bool
  • Env: MISE_SOPS_STRICT
  • Default: true

If true, fail when sops decryption fails (including when sops is not available, the key is missing, or the key is invalid). If false, skip decryption and continue in these cases.

Licensed under the MIT License. Maintained by @jdx and friends.

Copyright © 2025 @jdx