Open ebiscaia opened 1 year ago
I have the same issue, setting SOPS_AGE_KEY_FILE=
as mentioned in https://github.com/mozilla/sops/issues/914 also doesn't work. What I have to do is unset SOPS_AGE_KEY
while also setting SOPS_AGE_KEY_FILE
:
Example:
export SOPS_AGE_KEY=age1XXX
➜ sops --encrypt --age $SOPS_AGE_KEY ./config.yaml > config.enc.yaml
# Trying to decrypt results in an error
➜ sops --decrypt config.enc.yaml
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
age1XXX: FAILED
- | error at line 1: malformed secret key: unknown type "age"
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
# unset SOPS_AGE_KEY
➜ unset SOPS_AGE_KEY
➜ sops --decrypt config.enc.yaml
my-key: my-value
Update:
It seems like SOPS_AGE_KEY
is preferred over SOPS_AGE_KEY_FILE
and it's function changes for encrypt
and decrypt
respectively: for encrypt
SOPS_AGE_KEY
is the public key, but for decrypt
- if set - it should be the private key:
➜ unset SOPS_AGE_KEY_FILE
➜ export SOPS_AGE_KEY=AGE-SECRET-KEY-XXX
➜ sops --decrypt config.enc.yaml
my-key: my-value
My experience is as follows: For encryption you need the reciepients list containing all public keys of the once that should be able to decrypt. This can be provided either in the .sops.yaml, as comma separated values in the SOPS_AGE_RECIPIENTS env variable or can be given in the -a parameter. The encryption process creates one encrpted entry for each recepient. So if you change the list you need to decrypt and encrypt again to adopt the new recepient.
The SOPS_AGE_KEY_FILE is only needed for decryption.
It seems to be caused by password protected key file. Support for that is added by https://github.com/getsops/sops/pull/1400
Hi everyone,
I am not being to use sops with age. I can encrypt the files but when I try to decrypt them I bump into this error:
So here is how I am working:
I can encrypt and decript using just age but with Sops.
And here are the versions of both Sops and Age:
Also, my issue seems to be similar to this with the difference is that one is specific to yubikey and mine is just with plain age.
Thanks,
Eduardo