sops-nix
sops-nix copied to clipboard
Mic92
Cannot decrypt using age keys
Dear Team, I love your work! Still, I got some problems to deal with. Here us my story:
If I try to run sudo nixos-rebuild switch --flake .#hostname
I get:
sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1x05l0zsnwly2f54jv4h5rudmknarfmw8wz3jd63vdqc0yyquuukshget77
/nix/store/r1plghc759yrs9bbsminz1qw9n5chdca-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/ikzqmazqagm6qd3lkwkdky2pi3mx6jix-secrets.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/user-password’ does not exist
Here is the hopely relevant part of my configuration:
sops.yaml
keys:
# Users
- &user C3B06FED1C93D951B72FC7BF7BE3C4FBC4BD9026
# Hosts
- &hostname age1xl30jzlzcj6wfxuzacfdyaeu82q9fu8fzx3um0r90u3w2xt7yuwscjltzs
creation_rules:
- path_regex: hosts/common/secrets.ya?ml$
key_groups:
- age:
- *hostname
pgp:
- *user
secrets.yaml
user-password: <password generated with mkpasswd -m sha-512>
If I try to run SOPS_AGE_KEY_FILE=/run/secrets-for-users.d/age-keys.txt sops -d /nix/store/ikzqmazqagm6qd3lkwkdky2pi3mx6jix-secrets.yaml, I get error loading config: no matching creation rules found.
SOPS_AGE_KEY_FILE=/run/secrets-for-users.d/age-keys.txt sops -d hosts/common/secrets. yaml results in:
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
C3B06FED1C93D951B72FC7BF7BE3C4FBC4BD9026: FAILED
- | could not decrypt data key with PGP key:
| github.com/ProtonMail/go-crypto/openpgp error: Could not
| load secring: open /home/lgo/.gnupg/secring.gpg: no such
| file or directory; GPG binary error: exit status 2
age1xl30jzlzcj6wfxuzacfdyaeu82q9fu8fzx3um0r90u3w2xt7yuwscjltzs: FAILED
- | failed to open file: open
| /run/secrets-for-users.d/age-keys.txt: permission denied
Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were.
I am glad for any help.
Have you run sops updatekeys on the encrypted secrets file after editing .sops.yaml? Also note that it must be .sops.yaml and not sops.yaml.
@Mic92,
thank you for the fast answer. You are absolutly right for pointing out my mistake with the missing . in .sops.yaml. I already had that.
sops updatekeys .sops.yaml returns
2023/08/27 12:53:02 Syncing keys for file /PATH/TO/.sops.yaml
sops metadata not found
I ran it after every key-change in .sops.yaml, but it did not help yet.
Sorry to resurrect this, but I think you need to run sops updatekeys on your secrets.yaml file, @lutzgo , not the configuration file.
For you that'd be something like:
sops updatekeys hosts/common/secrets.yaml
Hey stooj, thank you for your response. I gave up on it for a while, but now I'm back on track supercharged with new knowledge. It is working🤘
Could this be documented somewhere? I just stumbled upon the same issue adding a new host.
Could this be documented somewhere?
This should be documented in SOPS. It's not really related to sops-nix, is it?
Could this be documented somewhere?
This should be documented in SOPS. It's not really related to sops-nix, is it?
Sure, it could be documented better in sops but that's a separate issue. Since this project has amazing directions on how to get started, I think that it should also show this command to add new hosts once the initial setup is done.
Agreed, we should mention it in our README as well. @magikid do you want to have a look at it?