sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Key path mentioned in README seems incorrect

Open yujunz opened this issue 4 years ago • 4 comments

The path mentioned in README

On macOS, this would be $HOME/Library/Application Support/sops/keys.txt

seems incorrect

    - | failed to open file: open /Users/yujunz/Library/Application
      | Support/sops/age/keys.txt: no such file or directory

yujunz avatar Aug 02 '21 09:08 yujunz

Same issue for Linux path:

$ helm secrets edit secrets.yaml
secrets.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1crs5whzptf3some1random2numbersxanajp0spv60gz: FAILED
    - | failed to open file: open
      | /home/<my_profile>/.config/sops/age/keys.txt: no such file or
      | directory

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error

renedupont avatar Nov 19 '21 14:11 renedupont

I just stumbled upon this error as well. Indeed, it seems like the default key folder for age keys, is 1 level deeper: (...)/sops/age/.

As a temporary workaround, I'm using SOPS_AGE_KEY_FILE environment variable:

SOPS_AGE_KEY_FILE="$HOME/Library/Application Support/sops/age/key.txt" sops -d secrets.enc.yaml > secrets.yaml

Also, I got this error only when decrypting encrypted files, never when encrypting files.

EDIT: It seems like it's not just an issue of having the file in the correct folder, because even after moving the key to the correct one, SOPS can't find it. Maybe the space in Application Support is an issue? 🤔

LandazuriPaul avatar Dec 24 '21 00:12 LandazuriPaul

Can confirm on Linux:

0 $ ls ~/.config/sops/age/keys.txt  
/home/holger/.config/sops/age/keys.txt@
0 $ sops -d secrets.enc.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1dxrvkqwh7sc6efvcu4zc3v5l**********REDACTED*********: FAILED
    - | error at line 1: malformed secret key: separator '1' at
      | invalid position: pos=20, len=21

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
128 $ SOPS_AGE_KEY_FILE=/home/holger/.config/sops/age/keys.txt sops -d secrets.enc.yaml
secrets:
    API_PASS: mypassword
    API_XAPPID: myappid
0 $ sops --version
sops 3.7.1

Even though the code looks like it should use the path ~/.config/sops/age/keys.txt: https://github.com/mozilla/sops/blob/adfe49c1ead94808a2f06b6cf65758434238e00f/age/keysource.go#L108

Setting SOPS_AGE_KEY_FILE explicitly works.

hjoukl avatar Mar 01 '22 15:03 hjoukl

Linux key location is updated by https://github.com/getsops/sops/pull/1399

tomaszduda23 avatar Dec 31 '23 15:12 tomaszduda23