search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.17k stars 854 forks source link

Misconfiguring .sops.yaml creates an undecryptable file with no error message #1173

Open autocracy opened 1 year ago

autocracy commented 1 year ago

Create a simple YAML file:

foo:
  bar_PWD: bar

Create a simple .sops.yaml file:

creation_rules:
#  - encrypted_regex: '(password|.*_PWD)'
  - pgp: "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"

encrypt:

$ sops -e foo.yaml 
foo:
    bar_PWD: ENC[AES256_GCM,data:k8Py,iv:2oAcrZiuiHUUjwOMb+Vj+0PZ5Bu7KIAuRGMzHi1v2iU=,tag:2eu0KnAdHuDjfbo+iOHorg==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-02-02T23:58:47Z"
    mac: ENC[AES256_GCM,data:t8Adu7WRybxMY3sPDtOvmsKddgNNR1Sj33y9y6k8Wed0E5XHy4+ZgO8FdwBU+8juLHwSVyGMmfhidgmoksUiVYue3xb339EGrasetZV/15ojQtTGtvNDCFxvvnfcAuGHHVUUHP1rJu+x5TfekY850q5lR0FXQFSUacbp7Cmb8DA=,iv:nqXBYfNLfAh/Czxc1PiCtK01H3mWOl+YNcFg9/WpBjk=,tag:V+fLCKiypt+wh+eCo+Z4Zw==,type:str]
    pgp:
        - created_at: "2023-02-02T23:58:47Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

            wcBMAyUpShfNkFB/AQf8DeYrqCcxN1mbgkmKW3Qlplcv/57FG2+gFGNjcyXSLF7O
            AdP0mNSn0U88QbyEXWeo+R4UQPyCRvIfR9v+0POMY6RZrsu992Sv1Gi6eJzYypog
            3f6OO02AhmdhfKF5VU1cwDmyxhPoMAc8wnD4znk1L+eEWhKINdxjg/bQroYilWzH
            nhNXfnwX2X4LZrWVUfVgvMuJM/IU6OnolZglvkwcDWIk+W0BGDQkJ3cm1ecT8Fdc
            7oJs/2o9EozG3AGzkkacmH5mzxyFQIR5xLNS21IMLhLA38AuNPndwzACDFUyxu5k
            kQMTbsKCA4UklPorUGebV9dWByjZws47j6gonWdpc9JRAWz6/289XlNA1Xg/Ilec
            EgkVeRtU4K8TKGX0alZVjiAjruoduHSUgM86ajTpSfi3BFnxtCg/6oaJS20Xcmyy
            5wsrQXk6FP322jQ+ymL8XBju
            =n0Gz
            -----END PGP MESSAGE-----
          fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
    unencrypted_suffix: _unencrypted
    version: 3.7.3

Enable the regex in the config file and then try again:

$ sops -e foo.yaml 
foo:
    bar_PWD: ENC[AES256_GCM,data:6/65,iv:90Kt0Vbfth3MOHPrffv3tkYLIL7zGP/IHoANls9h1nI=,tag:zawm2USJZuJhYz9UP0Q6Og==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-02-02T23:59:02Z"
    mac: ENC[AES256_GCM,data:KEcIbHVUOYF701+9060gjUiiMzKEwwuHrkXJM9wKnRn5OsIK0j/CKnC6DA60WWm70eHILr+Q684oI2zhWcc77TyGTGJ7tPANa/fAu9tx7cP3nFdFaBWUJXmG87Ks/IyMt+S0k/VT1W0RUBVuGALvRAj7RGC6QoFxLxo3GYnOTL0=,iv:c+044uzI7rHkj0/MggIslUvJT8023oKiW31ZHstL0HQ=,tag:6n9PcFCjmWLQuE2wQilNWA==,type:str]
    pgp: []
    encrypted_regex: (password|.*_PWD)
    version: 3.7.3

Observe the lack of info in the PGP field and the error message No keys found in file when trying to decrypt.

autocracy commented 1 year ago

OK, so this is somewhat a user issue in that I shouldn't have a dash before both encrypted regex and PGP, but also one might hope for an error message when sops ends up with no public keys to encrypt to...

Perdjesk commented 1 year ago

Duplicates of: https://github.com/mozilla/sops/issues/989 and https://github.com/mozilla/sops/issues/804