---
title: "SOPS: Storing Secrets"
summary: How to Store Secrets Using SOPS
---

# SOPS: Storing Secrets

Some guidance on how to store secrets using [SOPS](../concepts-and-configurations/sops.md). For a guide on how to setup SOPS for a new host, see [SOPS: New Host](./sops-new-host.md).

1. For storing host-specific secrets, open the host-specific SOPS file:
   ```
   sops inventories/<chaosknoten/z9/...>/host_vars/<hostname>.sops.yaml
   ```
   For inventory-wide secrets, open the inventories `all` group SOPS file:
   ```
   sops inventories/<chaosknoten/z9/...>/group_vars/all.sops.yaml
   ```
2. Now the secrets can be added to the opened file. Because we're using the `community.sops.sops` vars plugin, the stored secrets will then be exposed as Ansible variables.  
   Note that SOPS only encrypts the values, not the keys.  
   When creating entries, try to adhere to the following variable naming conventions:
    - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar, e.g.:
      ```yaml
      secret__netbox_secret_key: secret_value
      ```
    - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable, e.g.:
      ```yaml
      netbox__db_password: secret_value
      ```
3. After closing the editor, the secrets are stored. In Ansible they are exposed as variables and can simply be used like any other variable.