search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.13k stars 854 forks source link

Malformed secret key: unknown type "age" #1177

Open ebiscaia opened 1 year ago

ebiscaia commented 1 year ago

Hi everyone,

I am not being to use sops with age. I can encrypt the files but when I try to decrypt them I bump into this error:

  • | error at line 1: malformed secret key: unknown type "age"

So here is how I am working:

sops --encrypt -a $(grep -oP "public key: \K(.*)" $SOPS_AGE_KEY_FILE) --encrypted-regex "^(data|stringData)$" --in-place test2.yaml
sops --decrypt -a $(grep -oP "public key: \K(.*)" $SOPS_AGE_KEY_FILE) --encrypted-regex "^(data|stringData)$" --in-place test2.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1xdx0w6v7p8sqdcc6pmpyq7ym77q40fq8gckzugzrry22nuc60f8qqsufrt: FAILED
    - | error at line 1: malformed secret key: unknown type "age"

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

I can encrypt and decript using just age but with Sops.

And here are the versions of both Sops and Age:

sops --version                                                                   
sops 3.7.3 (latest)
age --version
v1.1.1

Also, my issue seems to be similar to this with the difference is that one is specific to yubikey and mine is just with plain age.

Thanks,

Eduardo

blinkeye commented 1 year ago

I have the same issue, setting SOPS_AGE_KEY_FILE= as mentioned in https://github.com/mozilla/sops/issues/914 also doesn't work. What I have to do is unset SOPS_AGE_KEY while also setting SOPS_AGE_KEY_FILE:

Example:

export SOPS_AGE_KEY=age1XXX
➜  sops --encrypt --age $SOPS_AGE_KEY ./config.yaml > config.enc.yaml

# Trying to decrypt results in an error
➜  sops --decrypt config.enc.yaml                                                    
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1XXX: FAILED
    - | error at line 1: malformed secret key: unknown type "age"

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

# unset SOPS_AGE_KEY
➜  unset SOPS_AGE_KEY
➜  sops --decrypt config.enc.yaml
my-key: my-value

Update: It seems like SOPS_AGE_KEY is preferred over SOPS_AGE_KEY_FILE and it's function changes for encrypt and decrypt respectively: for encrypt SOPS_AGE_KEY is the public key, but for decrypt - if set - it should be the private key:

➜  unset SOPS_AGE_KEY_FILE
➜  export SOPS_AGE_KEY=AGE-SECRET-KEY-XXX
➜  sops --decrypt config.enc.yaml
my-key: my-value
hurzelpurzel commented 1 year ago

My experience is as follows: For encryption you need the reciepients list containing all public keys of the once that should be able to decrypt. This can be provided either in the .sops.yaml, as comma separated values in the SOPS_AGE_RECIPIENTS env variable or can be given in the -a parameter. The encryption process creates one encrpted entry for each recepient. So if you change the list you need to decrypt and encrypt again to adopt the new recepient.

The SOPS_AGE_KEY_FILE is only needed for decryption.

tomaszduda23 commented 7 months ago

It seems to be caused by password protected key file. Support for that is added by https://github.com/getsops/sops/pull/1400