Open archer-65 opened 1 year ago
It probably tries your gpg-key before it uses the age key for decryption?
I don't know if you can modify the order of keys, so it would try the other one instead?
What should work is dropping the gpg-key and running sops updatekeys ./your/sops/file
.
It probably tries your gpg-key before it uses the age key for decryption? I don't know if you can modify the order of keys, so it would try the other one instead? What should work is dropping the gpg-key and running
sops updatekeys ./your/sops/file
.
Dropping the gpg-key works indeed. However, I think that the decryption should respect the defined configuration.
Just ran into this. Changing the order in .sops.yaml to have age before pgp resolves it too, while allowing the Yubikey to be used as a backup key when the age key is not found. Seems sops will just try each key sequentially rather than collecting and running when at least one key is found. Nevermind. Came back after reboot.
Dropping the GPG key works. Seems sops tries the GPG key first no matter what.
I hit this as well.
Trying to run
sops -d secrets.yaml
and cancelling the pinentry prompt, give me
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
- | could not decrypt data key with PGP key:
| github.com/ProtonMail/go-crypto/openpgp error: could not
| load secring: open /home/dguibert/.gnupg/pubring.gpg: no
| such file or directory; GnuPG binary error: failed to
| decrypt sops data key with pgp: gpg: encrypted with rsa2048
[....]
| gpg: public key decryption failed: Operation cancelled
| gpg: decryption failed: Operation cancelled
age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
- | failed to load age identities: failed to parse
| '~/.config/sops/age/keys.txt' age identities:
| no secret keys found
So creating the keys.txt with (and restart the sops-nix service now works as expected
nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 >> ~/.config/sops/age/keys.txt
systemctl --user restart sops-nix
Let me say I love this package, it is really a must have. I usually use sops-nix with the NixOS module, but today I had to work with the home-manager one. I have a keyFile for age keys (generated with ssh-to-age) under
~/.config/sops/age/keys.txt
, so this config should be fine:However, my GPG key on Yubikey (not used for encryption of these home files), is always requested when attached. Any ideas? What could it be?