Decrypting template files gives error

[haroldojunios]

What exactly are you trying to do?

I have 2 machines, one personal and one for work. I want to have different ~/.ssh/id_rsa files, in wich they are encrypted on my dotfiles repo.

What have you tried so far?

I tried adding the ~/.ssh/id_rsa file from my home computer using chezmoi add --encrypt -T ~/.ssh/id_rsa and templating it with another ssh-key, resulting in:

{{- if .isWork -}}
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd21valRHL0VzaVFPajlU ...
-----END AGE ENCRYPTED FILE-----
{{- else -}}
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdSeUlDOStZQjZBK2dk ...
-----END AGE ENCRYPTED FILE-----
{{- end -}}

But when I run chezmoi apply is gives me:

$ chezmoi apply
age: error: failed to read header: parsing age header: unexpected intro: "{{- if .isWork -}}\n"
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chezmoi: exit status 1

I suspect that the decryption is happening before the template substitution.

Where else have you checked for solutions?

• [x] I have read chezmoi's user guide, and not found the answer.
• [x] I have searched chezmoi's reference guide, and not found the answer.
• [x] Other, searched similar issues.

Output of any commands you've tried with --verbose flag

$ chezmoi --verbose apply
age: error: failed to read header: parsing age header: unexpected intro: "{{- if .isWork -}}\n"
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chezmoi: exit status 1

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.33.1, commit bc4478d84f59ea38084cf7e58b9226278d0e046d, built at 2023-04-07T22:36:48Z, built by goreleaser ok latest-version v2.33.1 ok os-arch linux/amd64 (Ubuntu 22.04.2 LTS (Jammy Jellyfish)) ok uname Linux haroldo-dell 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux ok go-version go1.20.3 (gc) ok executable ~/.local/bin/chezmoi ok upgrade-method replace-executable ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2023-04-17T20:42:19-03:00 warning source-dir ~/.local/share/chezmoi is a git working tree (dirty) ok suspicious-entries no suspicious entries warning working-tree ~/.local/share/chezmoi is a git working tree (dirty) ok dest-dir ~ is a directory ok umask 002 ok cd-command found /usr/bin/fish ok cd-args fish info diff-command not set ok edit-command found /usr/bin/code ok edit-args code --wait ok git-command found /usr/bin/git, version 2.34.1 warning merge-command vimdiff not found in $PATH ok shell-command found /bin/bash ok shell-args /bin/bash ok age-command found /usr/bin/age, version 1.0.0 ok gpg-command found /usr/bin/gpg, version 2.2.27 info pinentry-command not set info 1password-command op not found in $PATH info bitwarden-command bw not found in $PATH info dashlane-command dcli not found in $PATH info gopass-command gopass not found in $PATH ok keepassxc-command found /usr/bin/keepassxc-cli, version 2.6.6 info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info rbw-command rbw not found in $PATH info vault-command vault not found in $PATH info secret-command not set ```

Additional context

Add any other context about the problem here. My .chezmoi.toml:

encryption = "age"
[age]
    identity = "~/.config/key.txt"
    recipient = "age1d04ej32j97pcsctxxcm475l5z5nttp6nzd4jr57ruj45qw8hqgwqtpsdzw"
[cd]
    command = "fish"
[data]
    work = false

[halostatue]

Use include. This is untested, but it should work.

.chezmoiignore:

.ssh/work-ssh.id_rsa.enc
.ssh/home-ssh.id_rsa.enc

private_dot_ssh/private_id_rsa.tmpl:

{{- /* private_dot_ssh/private_id_rsa.tmpl */ -}}
{{- if .isWork -}}
{{- include "./work-ssh.id_rsa.enc" -}}
{{- else -}}
{{- include "./home-ssh.id_rsa.enc" -}}
{{- end -}}

private_dot_ssh/work-ssh.id_rsa.enc:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd21valRHL0VzaVFPajlU ...
-----END AGE ENCRYPTED FILE-----

private_dot_ssh/home-ssh.id_rsa.enc:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdSeUlDOStZQjZBK2dk ...
-----END AGE ENCRYPTED FILE-----

[haroldojunios]

Thank you for the fast reply. I tried it, but:

1. I needed to change the paths in the includes in the file private_dot_ssh/private_id_rsa.tmpl from . to private_dot_ssh, it was giving the error: chezmoi: template: private_dot_ssh/private_id_rsa.tmpl:4:4: executing "private_dot_ssh/private_id_rsa.tmpl" at <include "./home-ssh.id_rsa.enc">: error calling include: open /home/haroldo/.local/share/chezmoi/home-ssh.id_rsa.enc: no such file or directory;
2. The template substitution works, but the key is not decrypted;
3. If I add the suffix encrypted_ to the file private_dot_ssh/private_id_rsa.tmpl it gives the same error about the age header.

[haroldojunios]

Is there some way to decrypt the .enc files before the template substitution?

[halostatue]

There is: decrypt, complete with an example that does exactly what you want.

[haroldojunios]

Thanks @halostatue, it worked!

For reference:

.chezmoiignore:

.ssh/work-ssh.id_rsa.age
.ssh/home-ssh.id_rsa.age

private_dot_ssh/private_id_rsa.tmpl:

{{- /* private_dot_ssh/private_id_rsa.tmpl */ -}}
{{- if .isWork -}}
{{ joinPath .chezmoi.sourceDir "private_dot_ssh/work-ssh.id_rsa.age" | include | decrypt }}
{{- else -}}
{{ joinPath .chezmoi.sourceDir "private_dot_ssh/home-ssh.id_rsa.age" | include | decrypt }}
{{- end -}}

private_dot_ssh/work-ssh.id_rsa.age:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd21valRHL0VzaVFPajlU ...
-----END AGE ENCRYPTED FILE-----

private_dot_ssh/home-ssh.id_rsa.age:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdSeUlDOStZQjZBK2dk ...
-----END AGE ENCRYPTED FILE-----