Allow encryption to keep unmodified parts

[vbezhenar]

This is feature request.

My usage of sops probably differs a bit from what it was intended. I'm using gitignore to keep in repository encrypted files and decrypted files are not commited. I also have simple scripts to encrypt/decrypt changed files. So basically I have decrypted files in my local repository and encrypted files in the git.

When I'm using sops encrypt multiple times, this command returns completely different output each time, which is expected, I guess. But that means that if I changed one line in the decrypted file, it'll result in completely changed encrypted file which is not nice for diffs.

When I'm using sops edit command, it works as expected. However I have to use workflow with editor which is not convenient for me (for example I can't do mass search/replace in my secret values across many files).

What I end up using is the following command:

      EDITOR="cp '${input}'" sops edit "${output}"

It works, but obviously that wasn't intended usage of this command.

I think that it would be nice to add some way to specify output file name for sops encrypt command and with this invocation, sops encrypt would work similarly to sops edit, by encrypting only changed parts. Or add input parameter to sops edit command.

[felixfontein]

How about a command sops replace, that given a SOPS-encrypted file and an unencrypted file replaces the encrypted file's contents with the ones of the unencrypted file? I think that's basically what you need, and I think having it a separate command makes it cleaner than somehow incorporating it into sops encrypt or sops edit.