sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

SOPS_AGE_SSH_PRIVATE_KEY_FILE fails without an error

Open sylk0s opened this issue 1 month ago • 3 comments

I'm using sops 3.11.0 and trying to decrypt a file. This seems to be failing with basically output about why it fails. I'm using the following command: sops -d secret_file. This is the output:

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  [AGE KEY]: FAILED
    - | failed to create reader for decrypting sops data key with
      | age: no identity matched any of the recipients. Did not find
      | keys in locations 'SOPS_AGE_SSH_PRIVATE_KEY_FILE',
      | '/home/<user>/.ssh/id_rsa', 'SOPS_AGE_KEY',
      | 'SOPS_AGE_KEY_FILE', and 'SOPS_AGE_KEY_CMD'.

[ANOTHER KEY]: FAILED
...

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

I have an ssh key file which should be able to decrypt this file, and I'm using the following command to try and get sops to recognize that: env SOPS_AGE_SSH_PRIVATE_KEY_FILE=/path/to/ssh_key sops -d secret_file. This produces the following output:

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  [AGE KEY]: FAILED
    - | failed to create reader for decrypting sops data key with
      | age: no identity matched any of the recipients. Did not find
      | keys in locations '/home/<user>/.ssh/id_rsa',
      | 'SOPS_AGE_KEY', 'SOPS_AGE_KEY_FILE', and 'SOPS_AGE_KEY_CMD'.

  [ANOTHER KEY]: FAILED
  ...

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

So it... checks the path? But seems to quietly fail???? The only weirdness here that I can think of is that the ssh key file is in a linked directory. It's annoying that I'm just getting - no additional info about WHY the key I provided fails.

When I run the command with --verbose I just get the following additional output:

[AGE]	 INFO[0000] Decryption failed
[PGP]	 INFO[0003] Decryption failed                             fingerprint=[ANOTHER KEY]

Anyways - not really sure what to do with this or how to even start debugging this since there is no real output.

sylk0s avatar Nov 17 '25 17:11 sylk0s

You're probably getting no information because the public key of the key you provided doesn't seem to match any of the public keys contained in the encrypted file. In that case, there's nothing to report than "no identity matched any of the recipients".

Whether this is a bug or a problem with your key I don't know and likely needs some debugging.

felixfontein avatar Nov 19 '25 18:11 felixfontein

That's what I thought, but basically everything I've checked seems to say otherwise... The following command seems to work fine SOPS_AGE_KEY=$(ssh-to-age -private-key -i /path/to/key) sops -d secret_file. Perhaps I shouldn't be trusting ssh-to-age?

sylk0s avatar Nov 19 '25 18:11 sylk0s

I get the same exact behavior, SOPS_AGE_KEY=$(ssh-to-age -private-key -i ~/.ssh/id_ed25519) works, but not the automatic sops lookup

D4ndellion avatar Dec 01 '25 11:12 D4ndellion

So from #2009 and the above comments, do I understand correctly that the problem is that the SOPS file is encrypted with the identity derived from the SSH key with ssh-to-age, but you try to decrypt it with the SSH key itself (whose identity differs from the converted key's identity)?

felixfontein avatar Dec 21 '25 14:12 felixfontein