Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secret was encrypted with newer version error #23

Closed
networklessons opened this issue Apr 17, 2019 · 6 comments
Closed

secret was encrypted with newer version error #23

networklessons opened this issue Apr 17, 2019 · 6 comments

Comments

@networklessons
Copy link

I use the latest version of kubesec but see this message when decrypting a secret that I encrypted previously on another machine:

kubesec decrypt secret-oxidixed-id-rsa.pub.yml
It appears that Secret was encrypted with newer version of kubesec.
Visit https://github.com/shyiko/kubesec for upgrade instructions.

I'm using the latest version though:

kubesec --version
0.9.2

I'm using AWS KMS. Any idea how to troubleshoot this?
@shyiko
Copy link
Owner

shyiko commented Apr 18, 2019

Hi.
Check that

  1. secret-oxidixed-id-rsa.pub.yml is actually encrypted (it should contain # kubesec:v:4)
  2. kubesec --version where you are trying to kubesec decrypt is >= kubesec --version when secret was encrypted.

@networklessons
Copy link
Author

Hi,

Thanks for the quick reply, I figured out the issue; it happens when I add the encrypted file to my gitlab repository:

  1. Create a new secret.yml file.
  2. kubesec encrypt
    --key=aws:arn:aws:kms:us-west-1:000000000000:key/00000000-0000-0000-0000-000000000000 secret.yml
  3. commit and push secret.yml to gitlab repository
  4. git clone gitlab repository in a new folder
  5. kubesec decrypt gives the error.

Something happens with the file, the MD5 hash of the locally created file and git cloned file are different. Not sure what git(lab) does and if this also happens with github.

md5sum secret.yml
fe456c002f07b37edd5234ec7d10ad45 *secret.yml

md5sum secret.yml
cfc92c6bb9ccd7ee21ce2916132ff7d0 *secret.yml

@networklessons
Copy link
Author

networklessons commented Apr 18, 2019
edited
Loading

Here is an example btw:

apiVersion: v1
data:
  id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEMTZ1Ri9LYklSQUVKVVRkSmNyQzduK2ZmazBmWGVrSzhBbnpqU0FTczUxL2hmOTA1VmcrOWZ0b0Z3MmJzQkRKWW1qalJXVVVkSGlQSFNnUFd0WkVPK00xa1g5WVNzNVdaVW03VVFsdklWNnhoVFVVMXlFUHpBVkw0aDYvSnpnSkFack53WUdnSUNxdDJoYktwUGJ1T3BiUmQ0ZmVNSUFZc2JnVjhWRzVrN2RTTWk2UnIyN3lqRlptSWs0cnlXNWw1c2tHTFNnWFh4VFdkOVp3T3RjYVVYeS9NRkZIbGtLZytjU043cGZXRFhuaEU2cGFYb0hQM0lnemlpT1FuMnNXWUlTdGxJcUplUDNLRDdyWVZBanI5a0lFbkNNS1hETzR5Z2E1S3VGdjRIeU96U0FWSzRSZmtwRXJ4U1E5eHowYmJCczJDdER0YWRmNUs0bk5tcjNyZEogamFtZXNAamFtZXM=
kind: Secret
metadata:
  name: secret-oxidized-id-rsa-pub
type: Opaque

When you kubesec encrypt this, commit it to a repo, then pull it to another folder then you can't decrypt it anymore. Perhaps this is a git issue with very long lines?

@shyiko
Copy link
Owner

shyiko commented Apr 18, 2019

Any chance you have .gitattributes with newline normalization? https://help.github.com/en/articles/dealing-with-line-endings

@networklessons
Copy link
Author

I don't have one, I did use kubesec on Windows. Should I try it?

@guitarrapc
Copy link

I've encounted same issue, and it was caused via EOL.
git commited secrets.enc.yaml was LF, but cloned was CRLF.

I can avoid issue with change file eol to LF and use .gitattributes to specify file EOL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shyiko @guitarrapc @networklessons