`sops` can't decrypt when only provided an SSH key path

[3ulalia]

I've managed to pare my config down to the following minimal setup:

sops.defaultSopsFile = inputs.self.outPath + "/secrets/secrets.yaml";
sops.age.sshKeyPaths = ["/home/eulalia/.ssh/id_ed25519"];
sops.secrets."passwords/eulalia".neededForUsers = true;

Then, in my secrets file (~/flake/secrets/secrets.yaml):

passwords:
  eulalia: $y$thisisafakepasswordhash

And in my sops yaml file (~/.sops.yaml):

keys:
  - &eulalia thepublickeytomySSHkeywhenconvertedtoage
creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|sops)$
    key_groups:
      - age:
        - *eulalia

Despite this, when I run sops ~/flake/secrets/secrets.yaml it tells me that it is unable to decrypt:

eulalia@sunlanii:~/flake/ > sops secrets/secrets.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  thepublickeytomySSHkeywhenconvertedtoage: FAILED
    - | failed to load age identities: failed to open file: open
      | /home/eulalia/.config/sops/age/keys.txt: no such file or
      | directory

The only way to get it to decrypt is to use ssh-to-age to convert my SSH key to an age key and then put it in that location.

Why do I have to put my key there? Isn't setting sops.age.sshKeyPaths enough?

(And yes, I have run sops updatekeys ~/flake/secrets/secrets.yaml a number of times. It has not fixed the issue :p)

I'm presuming that this is the reason behind a related issue I have - namely, when I set my password as described above, it works until I reboot, at which point I'm unable to login. I presume this is because sops is looking for a key file in ~/.config/sops/age/keys.txt despite it not being there.

Thanks!

[3ulalia]

Never mind, this is me being stupid.

[n8henrie]

@3ulalia would you mind elaborating?

I've used agenix for a while and want to experiment with sops, but I'm running into the same misunderstanding.

Even if I specify SOPS_AGE_SSH_PRIVATE_KEY_FILE=/etc/ssh/ssh_host_ed25519_key ¹, I get Failed to get the data key required to decrypt the SOPS file. as it tries to read from ~/.config/sops/age/keys.txt (which I've removed).

Why is ~/.config/sops/age/keys.txt necessary when I have /etc/ssh/ssh_host_ed25519_key?

EDIT: Perhaps issue is this is unreleased (just merged last week)? https://github.com/getsops/sops/pull/1692/commits

Footnotes

1. https://github.com/getsops/sops?tab=readme-ov-file#23encrypting-using-age ↩

[n8henrie]

Yes, I was just reading the docs for main which is still unreleased.

After building from source, I was able to add my ssh public key like so (initially keeping the age key version around):

keys:
  - &myagekey age1234
  - &samekeyasssh ssh-ed25519 AAA...
creation_rules:
  - path_regex: secrets/[^/]+\.json$
    key_groups:
    - age:
      - *myagekey
      - *samekeyasssh

then update the keys so that both the ssh and age keys were recognized:

(I'm not sure what part of my env was required, bit failed without -E)

$ sudo -E \
    SOPS_AGE_SSH_PRIVATE_KEY_FILE=/etc/ssh/ssh_host_ed25519_key \
    ~/go/src/github.com/getsops/sops/cmd/sops/sops \
    updatekeys secrets/sops.json

After which I was able to blow away the age directory and still decrypt / edit the test file:

$ rm -r ~/.config/sops
$ sudo \
    SOPS_AGE_SSH_PRIVATE_KEY_FILE=/etc/ssh/ssh_host_ed25519_key \
    ~/go/src/github.com/getsops/sops/cmd/sops/sops \
    --decrypt \
    secrets/sops.json
{
        "hello": "Welcome to SOPS! Edit this file as you please!",
        "example_key": "example_value",
        "example_array": [
                "example_value1",
                "example_value2"
        ],
        "example_number": 1234.56789,
        "example_booleans": [
                true,
                false
        ]
}

And finally was able to remove the age version of the key from my sops config and once again updatekeys.

[3ulalia]

Hmm, yes. Now that you mention it, I would like this to work properly, especially since sops now has first-class support for SSH keys. That really would just make this a dupe of #802, but since this one came first I can reopen this and close that.

[travisty-]

Bumping this as SOPS officially added support for SSH keys in v3.10.0.

I've been using only SSH keys in my own config for a couple months now and have had no issues, however they still get converted and written to age-keys.txt. I think this code path could be modified to remove the creation of those files in favor of letting SOPS handle it internally?

sops-nix/pkgs/sops-install-secrets/main.go

Lines 1328 to 1361 in 2c8def6

	if len(manifest.AgeSSHKeyPaths) != 0 || manifest.AgeKeyFile != "" {
	keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
	os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
	// Create the keyfile
	var ageFile *os.File
	ageFile, err = os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
	if err != nil {
	return fmt.Errorf("cannot create '%s': %w", keyfile, err)
	}
	defer ageFile.Close()
	fmt.Fprintf(ageFile, "# generated by sops-nix at %s\n", time.Now().Format(time.RFC3339))
	// Import SSH keys
	if len(manifest.AgeSSHKeyPaths) != 0 {
	err = importAgeSSHKeys(manifest.Logging, manifest.AgeSSHKeyPaths, *ageFile)
	if err != nil {
	return err
	}
	}
	// Import the keyfile
	if manifest.AgeKeyFile != "" {
	// Read the keyfile
	var contents []byte
	contents, err = os.ReadFile(manifest.AgeKeyFile)
	if err != nil {
	return fmt.Errorf("cannot read keyfile '%s': %w", manifest.AgeKeyFile, err)
	}
	// Append it to the file
	_, err = ageFile.WriteString(string(contents) + "\n")
	if err != nil {
	return fmt.Errorf("cannot write key to age file: %w", err)
	}
	}
	}

The setup instructions could be simplified a bit at that point, since ssh-to-age would no longer be necessary.

[nikhilmaddirala]

I've been using only SSH keys in my own config for a couple months now and have had no issues, however they still get converted and written to age-keys.txt.

Adding ssh keys to .sops.yaml doesn’t work for me. To use sops-nix I have to use ssh-to-age to convert all my hosts’ ssh keys to age keys and then add those age keys to the .sops.yaml file.

Any idea why the ssh keys approach may not be working for me?

[travisty-]

@nikhilmaddirala I added sops-nix to my config in this commit if you want to take a look. I started with SSH keys up front though, so I didn't have to update the keys for any existing secrets (as mentioned in the previous comments).

[kevinboulain]

This issue has all the hints to use an SSH public key but for the record it appears that one needs to:

• replace the age key with the SSH public key in .sops.yaml:

  - - age1...
  + - ssh-ed25519 AAAA...

• sops updatekeys
• update the NixOS configuration to tell sops where to find the SSH key:

  # https://github.com/getsops/sops?tab=readme-ov-file#23encrypting-using-age
  sops.environment.SOPS_AGE_SSH_PRIVATE_KEY_FILE = lib.escapeShellArg ".../ed25519"; # You might want to pick something from config.services.openssh.hostKeys like what sops.age.sshKeyPaths does

Ideally, it would be possible to avoid the unnecessary conversion to age with something like:

sops.age.sshKeyPaths = [];

But it would trigger this assert. I'm not sure this can transparently be handled by sops-nix without another option (I'm also not sure how the previous poster got it working without SOPS_AGE_SSH_PRIVATE_KEY_FILE).

Edit: That's #779.

[bleetube]

I think I footgunned myself the same way, as I spent all day trying to get ssh key-only sops working. My flake.lock shows me using sops-nix rev 6e5a38e08a2c31ae687504196a230ae00ea95133. Might be a good idea to throw a note about what version of sops supports ssh native en/decrypt. Anyway I'm just glad to have it working at all (currently using an age key derived from the host ssh key). Cheers!

[codethief]

Related: #824