Wraps Mozilla SOPS and age encryption so Claude can generate and rotate secrets without ever seeing plaintext values. You get tools to create encrypted YAML files with generated passwords, external credentials, and derived hashes like Authelia's PBKDF2 format. The server encrypts everything against your age public key before returning it, and there's deliberately no decrypt tool exposed to the MCP client. Rotation regenerates random secrets and cascades changes to derived values automatically. Designed for the pattern where you commit encrypted secrets to git and your CI pipeline holds the one age private key needed to decrypt at deploy time. Saves you from running Vault for a handful of API keys.
claude mcp add --transport stdio privacyplaybook-sops-mcp -- uvx sops-mcp