search

Mic92 / sops-nix

Atomic secret provisioning for NixOS based on sops
MIT License
1.46k stars 137 forks source link

sops-nix always requests yubikey with home-manager module #356

Open archer-65 opened 1 year ago

archer-65 commented 1 year ago

Let me say I love this package, it is really a must have. I usually use sops-nix with the NixOS module, but today I had to work with the home-manager one. I have a keyFile for age keys (generated with ssh-to-age) under ~/.config/sops/age/keys.txt, so this config should be fine:

  sops.age = {
    keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
    generateKey = false;
  };

However, my GPG key on Yubikey (not used for encryption of these home files), is always requested when attached. Any ideas? What could it be?

Mic92 commented 1 year ago

It probably tries your gpg-key before it uses the age key for decryption? I don't know if you can modify the order of keys, so it would try the other one instead? What should work is dropping the gpg-key and running sops updatekeys ./your/sops/file.

archer-65 commented 1 year ago

It probably tries your gpg-key before it uses the age key for decryption? I don't know if you can modify the order of keys, so it would try the other one instead? What should work is dropping the gpg-key and running sops updatekeys ./your/sops/file.

Dropping the gpg-key works indeed. However, I think that the decryption should respect the defined configuration.

dman926 commented 5 months ago

Just ran into this. Changing the order in .sops.yaml to have age before pgp resolves it too, while allowing the Yubikey to be used as a backup key when the age key is not found. Seems sops will just try each key sequentially rather than collecting and running when at least one key is found. Nevermind. Came back after reboot.

Dropping the GPG key works. Seems sops tries the GPG key first no matter what.

dguibert commented 4 months ago

I hit this as well.

Trying to run

sops -d secrets.yaml

and cancelling the pinentry prompt, give me

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
    - | could not decrypt data key with PGP key:
      | github.com/ProtonMail/go-crypto/openpgp error: could not
      | load secring: open /home/dguibert/.gnupg/pubring.gpg: no
      | such file or directory; GnuPG binary error: failed to
      | decrypt sops data key with pgp: gpg: encrypted with rsa2048
      [....]
      | gpg: public key decryption failed: Operation cancelled
      | gpg: decryption failed: Operation cancelled

  age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
    - | failed to load age identities: failed to parse
      | '~/.config/sops/age/keys.txt' age identities:
      | no secret keys found

So creating the keys.txt with (and restart the sops-nix service now works as expected

nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 >> ~/.config/sops/age/keys.txt
systemctl --user restart sops-nix