FiloSottile
age cant decrypt file with same key.txt
Environment
- OS: ubuntu 18.04 and macos 14.4
- age version: v1.2.1
What were you trying to do
I have a script that shows beloved, which backs my Sass database. How I'm using age while compress and encrypt the dump file.
this is happening on ubuntu
cat $CIHAN_FILE | xz | age -r [public-key] > $CIHAN_FILE.sql.xz.age
What happened
I still have the key.txt, but I can't decrypt the age files encrypted with the public key from key.txt using the same key.txt.
I'm trying to decrypt in macos
age -d -i key.txt cihan7-01_05_2025_18_00.sql.xz.age > cihan7-01_05_2025_18_00.sql.xz
age: error: failed to decrypt and authenticate payload chunk
age: report unexpected or unhelpful errors at https://filippo.io/age/report
I'm afraid the file might be corrupted or truncated. age refuses to decrypt these files for security reasons.
I've been planning to add an age-recovery binary for insecurely decrypting damaged files.
same issue for me (I don't understand):
machine 1:
$ md5sum docker/vault/.vault_pass.txt
06241c204e3af468ae42635413a4045c docker/vault/.vault_pass.txt
$ md5sum docker/vault/data/vault_backup_20251002_073505.json.enc
d77b0176074eace68247d145a3806d35 docker/vault/data/vault_backup_20251002_073505.json.enc
$ uname -a
Linux 6.15.11-orbstack-00541-g75ba6c23ed9d #1 SMP PREEMPT Sat Sep 27 07:35:19 UTC 2025 x86_64 GNU/Linux
$ age --version
v1.2.1
$ age --decrypt -i docker/vault/.vault_pass.txt -o /tmp/decrypt-2.json docker/vault/data/vault_backup_20251002_073505.json.enc
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
machine 2:
/ # md5sum /vault/.vault_pass.txt
06241c204e3af468ae42635413a4045c /vault/.vault_pass.txt
/ # md5sum /vault/backups/
Readme.md vault_backup_20251002_073505.json.enc vault_backup_20251002_073505.json.sha256
/ # md5sum /vault/backups/vault_backup_20251002_073505.json.enc
d77b0176074eace68247d145a3806d35 /vault/backups/vault_backup_20251002_073505.json.enc
/ # age --version
1.2.1
/ # age --decrypt -o /tmp/vault_backup_20251002_073505.json -i /vault/.vault_pass.txt /vault/backups/vault_backup_20251002_073505.json.enc
/ # uname -a
Linux 8d4cd67f356f 6.15.11-orbstack-00541-g75ba6c23ed9d #1 SMP PREEMPT Sat Sep 27 07:35:19 UTC 2025 aarch64 Linux
- If i encrypt a file on machine1 then machine2 can not decrypt this file
- If i encrypt a file on machine2 then machine1 can not decrypt this file
I am seeing a similar issue. I am on macOS Tahoe on a M1 mac, and am running age inside of a colima virtual machine.
For reference, this worked fine last week before I upgraded from Sonoma to Tahoe.
I'm suspecting this is a Rosetta issue because:
- I can successfully decrypt in my macOS terminal outside of the colima VM.
- I can successfully decrypt inside of the colima VM running the aarch64 version of the
ageexecutable. - It fails to decrypt when running the x86-64 executable inside of the colima VM:
root@colima:~# x86-64/age/age --decrypt -i key.txt /tmp/file.age
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
The same x86-64 executable will successfully decrypt when run on a real amd64 machine (i.e. no Rosetta).
So, given all that, this feels like a Rosetta bug that was introduced between macOS Sonoma and Tahoe. I don't think this is your responsibility to fix, but I have no idea how to submit this to Apple. So I'm just posting it here for awareness.
Please let me know if I can provide any more information.
Thanks!
