Generate an age key pair with `age-keygen -o key.txt`; store the private key securely (local keychain or a secrets manager) and record the public key
Create a `.sops.yaml` file at the repo root specifying `age` recipients via `creation_rules` mapped to path globs covering your secret files
Encrypt a Secret manifest with `sops --encrypt secret.yaml > secret.enc.yaml`; commit the encrypted file to Git and add the plaintext file to `.gitignore`
In your CD pipeline, set the `SOPS_AGE_KEY` environment variable (from a CI secret) and decrypt with `sops --decrypt secret.enc.yaml | kubectl apply -f -`
For Flux, install the SOPS decryption provider by referencing the age private key in a cluster Secret and configuring the Kustomization's `spec.decryption.provider: sops`
Rotate the age key by re-encrypting all files with `sops updatekeys` after adding the new recipient to `.sops.yaml`
Known gotchas
SOPS encrypts values but leaves keys (field names) in plaintext — avoid using field names that reveal sensitive context (e.g., do not name a field `aws_prod_root_password`)
If `.sops.yaml` creation_rules do not match a file's path, SOPS uses defaults which may encrypt with the wrong key or fail — verify rule matching with `sops filestatus <file>`
The age private key must be available at decrypt time; losing it makes encrypted secrets permanently unrecoverable — back it up to at least two secure, independent locations
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp