sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Unable to decrypt with PGP on Yubikey

Open fzakfeld opened this issue 3 months ago • 0 comments 

sops -v
sops 3.10.2 (latest)

gpg --version
gpg (GnuPG) 2.4.8
libgcrypt 1.11.2
Copyright (C) 2025 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

I have an OpenPGP key on my yubikey smart card, which I can use to decrypt. e.g. this works:

gpg -d foo.gpg

But when calling sops, an error occurs

sops -d bar

Output:

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  xxxx: FAILED
    - | could not decrypt data key with PGP key:
      | github.com/ProtonMail/go-crypto/openpgp error: could not
      | load secring: open /Users/fzakfeld/.gnupg/pubring.gpg: no
      | such file or directory; GnuPG binary error: failed to
      | decrypt sops data key with pgp: gpg: encrypted with RSA key,
      | ID xxxx
      | gpg: using "xxxx" as
      | default secret key for signing
      | gpg: public key decryption failed: No secret key
      | gpg: decryption failed: No secret key

How can I debug this further? Reading https://github.com/getsops/sops/issues/189 it seems like gpg2 is supported and sops is trying out the gpg binary

fzakfeld avatar Sep 18 '25 22:09 fzakfeld