-
Notifications
You must be signed in to change notification settings - Fork 860
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem using sops with passphrase-protected age key file #933
Comments
So, can anyone help on this? |
This is definitely a work around as the documentation for it isn't included in the sops command help output. Are passphrase encrypted AGE secret keys designated an anti-pattern for sops usage? The documentation doesn't say much about how AGE should be used with sops, and this env var exists so I'm thinking the answer is no here. If not, I believe the user experience should be improved here by automatically prompting for the key decryption passphrase much like age itself does. I believe consistency in behavior here is what most users familiar with age would expect. |
An alternative approach: decrypt to a file on tempfs (won't be written to disk, will disappear on restart), schedule the file to be removed some time in the future. The following works on linux with systemd: # decrypt to an ephemeral file (will be asked to enter the passphrase)
age -d -o /run/shm/keys.txt ~/.config/sops/age/keys
# schedule the file deletion in 1 hour from now
systemd-run --user -u age-clean --on-calendar "@$(date -d "+1hour" +%s)" rm /run/shm/keys.txt The command's are tedious but can be integrated in some kind of workflow and sops needs to be configured to look for private keys in The benefit of this approach is that it can be used with the editor-sops integration (as long as you keep recreating the ephemeral decrypted key file). Disclaimer: I have just thought of this right now and haven't really tested it yet. |
For me this isn't working anymore since sops
Update:This seems to happen because setting |
When using the latest version of SOPS v3.8.1, I too notice the issue where sops fails to read the SOPS_AGE_KEY environment variable. SOPS version 3.7.3 does not exhibit this problem. The issue persists even when you remove the key files ( ➜ SOPS_AGE_KEY=$(age -d ~/.config/sops/age/age-key.txt)
➜ ~/apps/sops/sops-v3.7.3.darwin.arm64 -d secret.enc.json|cat
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ STDIN
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "password": "42"
3 │ }
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
➜ ~/apps/sops/sops-v3.8.1.darwin.arm64 -d secret.enc.json
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1zwzgl7q9l6hzhl4f2gqgcxc83gfgj3t932fw4wgrgluvxf6g7s0q6345vf: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
age1spwwvmnwyhe7urhckwwjejumcy45sch4htmrjur2g4ektetphulqysj7hm: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
➜ |
The issue you are experiencing is not related to |
Still getting the same error when exporting or adding the environment variable before the binary: ➜ export SOPS_AGE_KEY=$(age -d ~/.config/sops/age/age-key.txt)
➜ ~/apps/sops/sops-v3.7.3.darwin.arm64 -d secret.enc.json|cat
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ STDIN
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "password": "42"
3 │ }
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
➜ ~/apps/sops/sops-v3.8.1.darwin.arm64 -d secret.enc.json
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1zwzgl7q9l6hzhl4f2gqgcxc83gfgj3t932fw4wgrgluvxf6g7s0q6345vf: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
age1spwwvmnwyhe7urhckwwjejumcy45sch4htmrjur2g4ektetphulqysj7hm: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
➜ SOPS_AGE_KEY=$(age -d ~/.config/sops/age/age-key.txt) ~/apps/sops/sops-v3.8.1.darwin.arm64 -d secret.enc.json
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1zwzgl7q9l6hzhl4f2gqgcxc83gfgj3t932fw4wgrgluvxf6g7s0q6345vf: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
age1spwwvmnwyhe7urhckwwjejumcy45sch4htmrjur2g4ektetphulqysj7hm: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
➜ |
Did you set the For me everything is working as expected, which means something is wrong on your end. |
The |
Are you 100% sure that the Lines 248 to 255 in b6d3c97
|
As sure as I can be :) ➜ unset SOPS_AGE_KEY ; unset SOPS_AGE_KEY_FILE
➜ export SOPS_AGE_KEY_FILE= ; export SOPS_AGE_KEY= ;
➜ echo $SOPS_AGE_KEY_FILE $SOPS_AGE_KEY
➜ export SOPS_AGE_KEY=$(age -d ~/.config/sops/age/age-key.txt)
➜ ~/apps/sops/sops-v3.7.3.darwin.arm64 -d secret.enc.json|cat
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ STDIN
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "password": "42"
3 │ }
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
➜ SOPS_AGE_KEY=$(age -d ~/.config/sops/age/age-key.txt) ~/apps/sops/sops-v3.8.1.darwin.arm64 -d secret.enc.json
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1zwzgl7q9l6hzhl4f2gqgcxc83gfgj3t932fw4wgrgluvxf6g7s0q6345vf: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
age1spwwvmnwyhe7urhckwwjejumcy45sch4htmrjur2g4ektetphulqysj7hm: FAILED
- | failed to load age identities: failed to open
| SOPS_AGE_KEY_FILE file: open : no such file or directory
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
➜ export SOPS_AGE_KEY_FILE=~/.config/sops/age/key.txt
➜ ~/apps/sops/sops-v3.7.3.darwin.arm64 -d secret.enc.json|cat
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ STDIN
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "password": "42"
3 │ }
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
➜ ~/apps/sops/sops-v3.8.1.darwin.arm64 -d secret.enc.json|cat
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ STDIN
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "password": "42"
3 │ }
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
➜ |
With |
You were correct, it was my bad between unset vs export. Once I only unset the env var that worked. Thanks for helping with that! |
Hey there,
I am currently trying out sops with the freshly released version 1.0.0 of age.
Creating passphrase-protected age key files seems rather easy:
https://github.com/FiloSottile/age#passphrase-protected-key-files
However, when I try to use these with sops I get the following error:
Am I missing something or is this currently not supported by sops?
I have not yet found any sops issues or documentation on this topic.
The text was updated successfully, but these errors were encountered: