Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malformed secret key: unknown type "age" #1177

Open
ebiscaia opened this issue Mar 1, 2023 · 3 comments
Open

Malformed secret key: unknown type "age" #1177

ebiscaia opened this issue Mar 1, 2023 · 3 comments

Comments

@ebiscaia
Copy link

ebiscaia commented Mar 1, 2023
edited

Hi everyone,

I am not being to use sops with age. I can encrypt the files but when I try to decrypt them I bump into this error:

  • | error at line 1: malformed secret key: unknown type "age"

So here is how I am working:

sops --encrypt -a $(grep -oP "public key: \K(.*)" $SOPS_AGE_KEY_FILE) --encrypted-regex "^(data|stringData)$" --in-place test2.yaml

sops --decrypt -a $(grep -oP "public key: \K(.*)" $SOPS_AGE_KEY_FILE) --encrypted-regex "^(data|stringData)$" --in-place test2.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1xdx0w6v7p8sqdcc6pmpyq7ym77q40fq8gckzugzrry22nuc60f8qqsufrt: FAILED
    - | error at line 1: malformed secret key: unknown type "age"

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

I can encrypt and decript using just age but with Sops.

And here are the versions of both Sops and Age:

sops --version                                                                   
sops 3.7.3 (latest)

age --version
v1.1.1

Also, my issue seems to be similar to this with the difference is that one is specific to yubikey and mine is just with plain age.

Thanks,

Eduardo
@blinkeye
Copy link

blinkeye commented Mar 27, 2023
edited

I have the same issue, setting SOPS_AGE_KEY_FILE= as mentioned in #914 also doesn't work. What I have to do is unset SOPS_AGE_KEY while also setting SOPS_AGE_KEY_FILE:

Example:

export SOPS_AGE_KEY=age1XXX
➜  sops --encrypt --age $SOPS_AGE_KEY ./config.yaml > config.enc.yaml

# Trying to decrypt results in an error
➜  sops --decrypt config.enc.yaml                                                    
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1XXX: FAILED
    - | error at line 1: malformed secret key: unknown type "age"

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

# unset SOPS_AGE_KEYunset SOPS_AGE_KEY
➜  sops --decrypt config.enc.yaml
my-key: my-value

Update:
It seems like SOPS_AGE_KEY is preferred over SOPS_AGE_KEY_FILE and it's function changes for encrypt and decrypt respectively: for encrypt SOPS_AGE_KEY is the public key, but for decrypt - if set - it should be the private key:

unset SOPS_AGE_KEY_FILE
➜  export SOPS_AGE_KEY=AGE-SECRET-KEY-XXX
➜  sops --decrypt config.enc.yaml
my-key: my-value

@hurzelpurzel
Copy link

My experience is as follows:
For encryption you need the reciepients list containing all public keys of the once that should be able to decrypt. This can be provided either in the .sops.yaml, as comma separated values in the SOPS_AGE_RECIPIENTS env variable or can be given in the -a parameter.
The encryption process creates one encrpted entry for each recepient. So if you change the list you need to decrypt and encrypt again to adopt the new recepient.

The SOPS_AGE_KEY_FILE is only needed for decryption.

@tomaszduda23
Copy link
Contributor

It seems to be caused by password protected key file. Support for that is added by #1400

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blinkeye @hurzelpurzel @tomaszduda23 @ebiscaia