sops-nix: Some SSH RSA keys cannot be used for decryption...
I’m trying this out for the first time, deploying just a single secret to a single host with deploy-rs, but I’m getting the following error:
⭐ ❓ [activate] [DEBUG] Running activation script
updating GRUB 2 menu...
activating the configuration...
setting up /etc...
setting up secrets...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key with fingerprint e2083f651825666614144c58e6d961dca7ddf0c4
Activation script snippet 'setup-secrets' failed (1)
/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/iv09rddx0hfs6bk6262vacwly3g28cw8-secrets.yaml': Error getting data key: 0 successful groups required, got 0
reloading user units for root...
reloading user units for dhess...
setting up tmpfiles
⭐ ⚠️ [activate] [WARN] De-activating due to error
The machine GPG key was imported from its SSH host RSA key as explained in the README. The other key I’m using to encrypt this particular secret is my own personal GPG key. I can edit (decrypt) and encrypt the secrets.yaml file on my local machine fine.
On the server, when I try to run the sops-install-secrets command on the manifest, I get the same error as above:
/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets /nix/store/mzs4sqzkawwp995jv8svf247rwzpz3iy-checked-manifest.json
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key with fingerprint e2083f651825666614144c58e6d961dca7ddf0c4
/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/iv09rddx0hfs6bk6262vacwly3g28cw8-secrets.yaml': Error getting data key: 0 successful groups required, got 0
Here are the secrets.yaml file and the manifest:
https://gist.github.com/dhess/74ec4eaa364369420e4121fa8ecbdd92 https://gist.github.com/dhess/a792710fbc263f899f75b2b3879e3e71
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 32 (23 by maintainers)
I added assertions here to make this more clear: https://github.com/Mic92/sops-nix/pull/121
I may make this change once we also have age support: https://github.com/Mic92/sops-nix/pull/107 I suspect age will be much more predictable.
Sorry I have not yet debugged the ssh key yet to the very heart of the go crypto library, but you must be somehow special since you are the only person I am aware of that can build invalid ssh keys.
I think I have the same problem as stated here before. setting
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];does not work. But extracting the age key and setage.keyFile = "/var/lib/sops-nix/key.txt";does work.tried setting
gnupg.sshKeyPaths = [];but this does not help. Any other ideas what the problem might be?I am testing a fix regarding that: https://github.com/Mic92/sops-nix/pull/117
Hmm, so my problem smells pretty much like pebcac due to a sleepy Ma27 I’m afraid.
After reading an old excerpt from
#nixos-chatI forcefully recreated the secrets file and everything was fine.There might be a slim chance that this is an actual bug, but IMHO it’s far more likely that I wrongly re-encrypted the file in question after I added the key for my server and thus the decrypt failed because the secret wasn’t encrypted for the server’s host key.
In that case, sorry for the noise and thanks a lot for this awesome sops integration!