diff --git a/cmd/sops/codes/codes.go b/cmd/sops/codes/codes.go
index 7aea67e80..ecf45f6c1 100644
--- a/cmd/sops/codes/codes.go
+++ b/cmd/sops/codes/codes.go
@@ -19,6 +19,7 @@ const (
 	MacMismatch                            int = 51
 	MacNotFound                            int = 52
 	ConfigFileNotFound                     int = 61
+	NoMetadataFound                        int = 70
 	KeyboardInterrupt                      int = 85
 	InvalidTreePathFormat                  int = 91
 	NeedAtLeastOneDocument                 int = 92
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index c78b51478..6bcf8f98d 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -1022,6 +1022,8 @@ func toExitError(err error) error {
 		return cliErr
 	} else if execErr, ok := err.(*osExec.ExitError); ok && execErr != nil {
 		return cli.NewExitError(err, execErr.ExitCode())
+	} else if sopsErr, ok := err.(*sops.SopsError); ok && sopsErr != nil {
+		return cli.NewExitError(err, sopsErr.ExitCode())
 	} else if err != nil {
 		return cli.NewExitError(err, codes.ErrorGeneric)
 	}
diff --git a/sops.go b/sops.go
index 827a5ee5b..c72a41077 100644
--- a/sops.go
+++ b/sops.go
@@ -47,6 +47,7 @@ import (
 	"time"
 
 	"github.com/getsops/sops/v3/audit"
+	"github.com/getsops/sops/v3/cmd/sops/codes"
 	"github.com/getsops/sops/v3/keys"
 	"github.com/getsops/sops/v3/keyservice"
 	"github.com/getsops/sops/v3/logging"
@@ -58,17 +59,30 @@ import (
 // DefaultUnencryptedSuffix is the default suffix a TreeItem key has to end with for sops to leave its Value unencrypted
 const DefaultUnencryptedSuffix = "_unencrypted"
 
-type sopsError string
+type SopsError struct {
+	exitCode int
+	message  string
+}
+
+func (e SopsError) ExitCode() int {
+	return e.exitCode
+}
 
-func (e sopsError) Error() string {
-	return string(e)
+func (e SopsError) Error() string {
+	return e.message
 }
 
 // MacMismatch occurs when the computed MAC does not match the expected ones
-const MacMismatch = sopsError("MAC mismatch")
+var MacMismatch = &SopsError{codes.MacMismatch, "MAC mismatch"}
 
 // MetadataNotFound occurs when the input file is malformed and doesn't have sops metadata in it
-const MetadataNotFound = sopsError("sops metadata not found")
+var MetadataNotFound = &SopsError{codes.NoMetadataFound, "sops metadata not found"}
+
+// MACOnlyEncryptedInitialization is a constant and known sequence of 32 bytes used to initialize
+// MAC which is computed only over values which end up encrypted. That assures that a MAC with the
+// setting enabled is always different from a MAC with this setting disabled.
+// The following numbers are taken from the output of `echo -n sops | sha256sum` (shell) or `hashlib.sha256(b'sops').hexdigest()` (Python).
+var MACOnlyEncryptedInitialization = []byte{0x8a, 0x3f, 0xd2, 0xad, 0x54, 0xce, 0x66, 0x52, 0x7b, 0x10, 0x34, 0xf3, 0xd1, 0x47, 0xbe, 0xb, 0xb, 0x97, 0x5b, 0x3b, 0xf4, 0x4f, 0x72, 0xc6, 0xfd, 0xad, 0xec, 0x81, 0x76, 0xf2, 0x7d, 0x69}
 
 // MACOnlyEncryptedInitialization is a constant and known sequence of 32 bytes used to initialize
 // MAC which is computed only over values which end up encrypted. That assures that a MAC with the