how to use with Yubikey

[xmlking]

I created my key with gpg --expert --full-gen-key and Yubikey in USB port. got ID from gpg --fingerprint and added to .sops.yaml

$ helm secrets enc secrets.yaml
Encrypting secrets.yaml
Encrypted secrets.yaml

decrypt failed

 helm secrets edit secrets.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  99381AAAAA....: FAILED
    - | could not decrypt data key with PGP key:
      | golang.org/x/crypto/openpgp error: Could not load secring:
      | open /Users/xyz/.gnupg/secring.gpg: no such file or
      | directory; GPG binary error: exit status 2

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error

[mhyllander]

This is not really related to helm secrets. "helm secrets dec secrets.yaml" is basically the same thing as "sops -d secrets.yaml". The issue is rather to make sure that the gpg secret key on the Yubikey is available to gpg and sops. Try commands like "gpg --card-status" and "gpg -K" to verify that the Yubikey has been found and that the gpg keys on it are available.

[xmlking]

I think, sops depends on gpg1 where yubikey relaying on gpg2. That might be the problem

[mhyllander]

Sops uses the "gpg" command by default. You can tell it to use e.g. "gpg2" with an environment variable: https://github.com/mozilla/sops/#specify-a-different-gpg-executable

[mwasilew2]

might be related: https://github.com/mozilla/sops/issues/489#issuecomment-515688057