diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index 889dd3ec4..08822fa04 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -161,6 +161,10 @@ func main() {
 					Name:  "user",
 					Usage: "the user to run the command as",
 				},
+				cli.StringFlag{
+					Name:  "extract",
+					Usage: "extract a specific key or branch from the input document. Example: --extract '[\"somekey\"][0]'",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if c.NArg() != 2 {
@@ -178,6 +182,12 @@ func main() {
 				if err != nil {
 					return toExitError(err)
 				}
+
+				extract, err := parseTreePath(c.String("extract"))
+				if err != nil {
+					return common.NewExitError(fmt.Errorf("error parsing --extract path: %s", err), codes.InvalidTreePathFormat)
+				}
+
 				opts := decryptOpts{
 					OutputStore:     &dotenv.Store{},
 					InputStore:      inputStore,
@@ -186,6 +196,7 @@ func main() {
 					KeyServices:     svcs,
 					DecryptionOrder: order,
 					IgnoreMAC:       c.Bool("ignore-mac"),
+					Extract:         extract,
 				}
 
 				if c.Bool("background") {
@@ -239,6 +250,10 @@ func main() {
 					Name:  "filename",
 					Usage: "filename for the temporarily file (default: tmp-file)",
 				},
+				cli.StringFlag{
+					Name:  "extract",
+					Usage: "extract a specific key or branch from the input document. Example: --extract '[\"somekey\"][0]'",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if c.NArg() != 2 {
@@ -251,6 +266,11 @@ func main() {
 				inputStore := inputStore(c, fileName)
 				outputStore := outputStore(c, fileName)
 
+				extract, err := parseTreePath(c.String("extract"))
+				if err != nil {
+					return common.NewExitError(fmt.Errorf("error parsing --extract path: %s", err), codes.InvalidTreePathFormat)
+				}
+
 				svcs := keyservices(c)
 
 				order, err := decryptionOrder(c.String("decryption-order"))
@@ -265,6 +285,7 @@ func main() {
 					KeyServices:     svcs,
 					DecryptionOrder: order,
 					IgnoreMAC:       c.Bool("ignore-mac"),
+					Extract:         extract,
 				}
 
 				output, err := decrypt(opts)
@@ -680,7 +701,7 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:  "extract",
-			Usage: "extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '[\"somekey\"][0]'",
+			Usage: "extract a specific key or branch from the input document. Example: --extract '[\"somekey\"][0]'",
 		},
 		cli.StringFlag{
 			Name:  "input-type",