search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
17.07k stars 880 forks source link

"No master keys were provided, so sops can't encrypt the file." #1599

Closed lukethacoder closed 2 months ago

lukethacoder commented 2 months ago

Don't mind if this is moved to discussions. I assume this is an issue purely with my configuration as scouring the internet seems to yeild no results.

Have tried the following on both NixOS and Windows 10.

1. Install sops and age

NixOS

On NixOS I used ssh-to-age to convert my machine SSH keys (ed25519) to age keys to be used by sops.

I also created a pgp key using sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o opslag.asc"

Can confirm that ~/.config/sops/age/keys.txt exists.

Windows

On Windows, I generated fresh keys using age-keygen

Can confirm that C:\Users\USER_NAME\AppData\Roaming\sops\age\keys.txt exists.

2. Create a .sops.yaml inside an empty folder

Super simple .sops.yaml file. Initially had keys declared as &user and referenced with *user as well as a path_regex

creation_rules:
  - keygroups:
    - age: 'age123456789myagekeygoesheretriedbothfromwindowsandnixosnuthin'

3. Run sops

Running the basic sops test.yaml command returned the same error of both NixOS and Windows. "No master keys were provided, so sop's can't encrypt the file."

4. Run sops -e

Running the basic sops -e existing.yaml command on an existing file ran fine, but would not encrypt the file correctly. Here's an example output with a simple yaml input of hello: world:

hello: ENC[AES256_GCM,data:3jYHG/k=,iv:kejpklclngwmzmgbrzxskisxeqiypafswadusgfyzeg=,tag:buukujvllwpijwawyewpus==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-09-07T14:07:33Z"
    mac: ENC[AES256_GCM,data:Qze8nE/abnjapjkxvbuthsowuvwaqlvbrswpibcdqyo/ysqamgaxwgkavtuxwyqabze/tatvfzljlwmmqlwgofwzr+M920vQ/usRpqfiPa++FnF4WR0ReyhGOS+vkBSkMXoRppj3GpvK7qH9c9jgIy8Nm2Da1XsNWnql/qMadjQ=,iv:WpOyiBPaBFHcxdLjoTCw693Bg1hAuESzHr1vVTZX7Vo=,tag:jcwXTQKnpyKvmJjIZqBVFg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0

5. Run sops --config

Attempting to pass a reference to the .sops.yaml config doesn't seem to do much. Returns the same "no master keys" error.

Creating a fake syntax error in the .sops.yaml file seems to confirm it picks up the config file, both with or without the --config flag.

I feel like I'm missing something small somewhere with the keys, not too sure? Have spent quite a few hours trying to clear things out and start from scratch only to come to the same conclusion.

lukethacoder commented 2 months ago

Welp, I'm a spud. keygroups should be key_groups.

Looks to be similar to this issue (https://github.com/getsops/sops/issues/479). Might be handy if there was some minor .sops.yaml schema validation to catch small things like this out.

felixfontein commented 2 months ago

I agree, having a validator that warns / rejects unknown keys would be great. I have no idea how hard that is to implement though, since I'm pretty sure we don't want to have the schema in two places, so the code would have to use the same data as the parser (https://github.com/getsops/sops/blob/f9ae79634d3b975ba392b0b6f63b4cbdf736b998/config/config.go#L90-L94).