sops
sops copied to clipboard
getsops
Bug: upgrade to v3.10.* causes "could not create encrypted SSH identity: RSA key size is too small" error
I've upgraded sops binary from v3.8.1 to v3.10.2. Without changing any encrypted file, my decrypt attempts started failing due to this one error:
$ SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1gzjg67ckfw0gqa8y60dq9uxcmr2hgjwlzpu55wyu9qjuq4h54yyqw3jf7t: FAILED
- | failed to load age identities: failed to get SSH identity:
| could not create encrypted SSH identity: RSA key size is too
| small
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
After some investigating, I realized that the error was due to my very old SSH-RSA key. But files encrypted using age-keys, not SSH.
It seems that this behavior is caused by this PR, which try to parse SSH key even it is NOT NEEDED for encryption/decryption.
As a workaround I suggest something like:
SOPS_AGE_SSH_PRIVATE_KEY_FILE="$HOME/.ssh/my_ed25519" SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml
Or just create new ~/.ssh/id_ed25519 SSH key (ssh-keygen -t ed25519 -C "[email protected]") and you can omit SOPS_AGE_SSH_PRIVATE_KEY_FILE in command above.
Yes, I know it and it's a great feature! 😃 But in my opinion SSH key should NOT try to be parsed each time when AGE encryption/decryption event occurs, because the file may be encrypted with a non-SSH AGE key (as in my case).
And that's why I didn't expect that in addition to SOPS_AGE_KEY_FILE now I also need to provide SOPS_AGE_SSH_PRIVATE_KEY_FILE (with valid key: non-RSA or RSA with keysize 4096+) even if SSH key is not used for my encrypted file 😇
It loads (and has to load) all keys that can be used for age, which includes the SSH key. If there isn't an SSH key it should ignore it.
Whether it should fail completely if it cannot parse all potential keys, that's a different question...
This is a very odd user experience though:
$ age-keygen -o ~/.config/sops/age/keys.txt Public key: age12ky56grvnjx4teeud7jnt6h5ehsa4xcav43hd8exuyks9zveuaksfkj9wp $ sops --encrypt --in-place secrets/development.container.env $ sops secrets/development.container.env Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED age12ky56grvnjx4teeud7jnt6h5ehsa4xcav43hd8exuyks9zveuaksfkj9wp: FAILED - | failed to load age identities: failed to get SSH identity: | could not create encrypted SSH identity: RSA key size is too | small
Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were.
To make sops work, I have to move the .ssh directory
$ mv ~/.ssh ~/.ssh.bak
After that, it's happy again.
PS: There is a 20 year old SSH key in there - that's causing the issue
this also happens if you name your key wrong, etc naming ECDSA key id_rsa instead of id_ecdsa. It tries to parse ecdsa as rsa and crashes
To make sops work, I have to move the .ssh directory
$ mv ~/.ssh ~/.ssh.bak
After that, it's happy again.
PS: There is a 20 year old SSH key in there - that's causing the issue
Thanks for the hint. That resolved my issue as well. sops failed to load a not needed encrypted key in the .ssh folder and did not try to load the key which I provided via environment variable afterwards. I.e. decryption always failed.
