Decryption not working with pgp key derived from ssh host key

[kagehisa]

I,m not sure if I am missing something or if there realy is an issue.

I try to decrypt the password for my user during a nixos-rebuild switch but I get this error instead:

activating the configuration...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint fc5624a466cdf7729a4be7e41d407079412e01bc
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1mhlx8c8xwkg4ae4awq6tmhhae4evwqwq5j7hwt4cqfp483cyz5hser9ef6
/nix/store/6kpwdjb1wa46cj9pc0ipvg7xd82vpy3j-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/fk9imaal42irdmbslvan3ddv2m3qzhx6-default.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/password_manji’ does not exist
setting up /etc...
reloading user units for manji...
setting up tmpfiles
warning: error(s) occurred while switching to the new configuration

It seems that SOPS can not decrypt the secret. So I started a shell with the nix-shell hook from the readme and tried to decrypt it manually with SOPS.
sops secrets/default.yaml gives me:

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
5C3960F507DD4ACC468EE93FE6C10F242BF4141B: FAILED
- | could not decrypt data key with PGP key:
| github.com/ProtonMail/go-crypto/openpgp error: could not
| load secring: open /home/manji/.gnupg/pubring.gpg: no such
| file or directory; GnuPG binary error: failed to decrypt
| sops data key with pgp: gpg: encrypted with RSA key, ID
| 0000000000000000
| gpg: public key decryption failed: No secret key
| gpg: decryption failed: No secret key

fc5624a466cdf7729a4be7e41d407079412e01bc: FAILED
- | could not decrypt data key with PGP key:
| github.com/ProtonMail/go-crypto/openpgp error: could not
| load secring: open /home/manji/.gnupg/pubring.gpg: no such
| file or directory; GnuPG binary error: failed to decrypt
| sops data key with pgp: gpg: encrypted with RSA key, ID
| 0000000000000000
| gpg: public key decryption failed: No secret key
| gpg: decryption failed: No secret key

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

GPG has the needed public keys but it seems the private key for the machine is missing:
gpg --list-keys:

[keyboxd]

pub rsa4096 2023-12-30 [C]
5C3960F507DD4ACC468EE93FE6C10F242BF4141B
uid [ unknown] SveWo [email protected]
sub rsa4096 2023-12-30 [S]
sub rsa4096 2023-12-30 [E]
sub rsa4096 2023-12-30 [A]

pub rsa4096 1970-01-01 [SCE]
FC5624A466CDF7729A4BE7E41D407079412E01BC
uid [ unknown] root (Imported from SSH) root@localhost

Am I missing something? Do I manually need to import the machines private key? Since the public key got generated with ssh-to-pgp I thought this would not be neccessary.

This is my .sops.yaml:

# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
  - &admin_manji 5C3960F507DD4ACC468EE93FE6C10F242BF4141B
  - &nixvm fc5624a466cdf7729a4be7e41d407079412e01bc
creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      - *admin_manji
      - *nixvm

The sops nix integration into my flake and the configuration was all done as described in the documentation.
Flake inputs:

    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

Configuration part of the Flake:

# nixvm
      nixvm = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs;};
        inherit system;
        modules = [
          ./systems/nixvm/configuration.nix
           disko.nixosModules.disko
           sops-nix.nixosModules.sops
          ];
      };

The configuration part:

  #sops integration
  sops.defaultSopsFile = ../secrets/default.yaml;
 
  sops.secrets.password_manji.neededForUsers = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.manji = {
    isNormalUser = true;
    description = "manji";
    hashedPasswordFile = config.sops.secrets.password_manji.path;
    openssh.authorizedKeys.keyFiles = [ ssh-keys.outPath ];
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [];
  };

I really don't know where to look next, does anybody have an idea?

[kagehisa]

Ok, I can edit the secret manually with sops on the target (nixvm) when I do this:

1. create a nix-shell with nix-shell -p gnupg sops ssh-to-pgp
2. manually export the private pgp key based on the ssh host key sudo ssh-to-pgp -private-key -i /etc/ssh/ssh_host_rsa_key -o secrets/nixvm_private.asc
3. import the private key to gpg with gpg --import /etc/nixos/secrets/nixvm_private.asc
4. decrypt the secret with sops secrets/default.yaml

But shouldn't steps 2 and 3 be done by sops-nix??

Edit: Migrating my setup to age works. So it seems the import part of the ssh derived key for gpg is the issue. Any idea where I could look next to fix this?

Edit2:
Using gpg works with the setting up gpg home manually on the target host. I did the following:

• Create a shell with sudo nix-shell -p sops gnupg ssh-to-pgp
• Creating the GNUPGHOME, create private pgp key for host based on ssh key, import the private and the public keys

mkdir -p /var/lib/sops
chmod -R640
ssh-to-pgp -private-key -i /etc/ssh/ssh_host_rsa_key -o secrets/nixvm_private.asc 
gpg --homedir /var/lib/sops --import secrets/nixvm_private.asc
gpg --homedir /var/lib/sops --import secrets/keys/systems/nixvm.asc
gpg --homedir /var/lib/sops --import secrets/keys/user/manji.asc
GNUPGHOME=/var/lib/sops sops secrets/default.yaml

• setting the config parameters sops.gnupg.home = "/var/lib/sops"; and sops.gnupg.sshKeyPaths = [];

With this nixos-rebuild works without errors and the secret is available. But I would really like to avoid this setup, since the manual step defeats the purpose of sops-nix for my use case.

[kagehisa]

Found the problem.
After some digging I disabled the removal of the GPGHOME dir from sops-install-secrets.

func (k *keyring) Remove() {
	//os.RemoveAll(k.path)
	os.Unsetenv("GNUPGHOME")
}

This left the generated directory with the generated secring.gpg in the /run/secrets.d directory after the failed nixos-switch attempt.

Then I created a nix-shell just like before with gnupg, sops, ssh-to-pgp and set the environment variable GNUPGHOME to the gpg directory in /run/secrets.d.
And with this sops is able to derypt the secret file. No issues.

Which only leaves the call to "go.mozilla.org/sops/v3/decrypt" as the culprit.

plain, err := decrypt.File(s.SopsFile, string(s.Format))
if err != nil {
   return fmt.Errorf("Failed to decrypt '%s': %w", s.SopsFile, err)
}

It seems it is unable to use the generated secring.gpg. Sops itself triggers a conversion of the generated secring.gpg, into the newer keybox format and in general to the now used form of GNUPGHOME through a call to gnupg itself and is therefore able to make use of the sops-nix generated secring. The call to decrypt.File() however does nothing like this. #65 seems related.

[rotteegher]

I'm having just almost the same setup as you in my NixOS flake using home-manager and encountered the same error while trying to nixos rebuild switch --flake .#desktop:

activating the configuration...
sops-install-secrets: Imported /persist/home/rot/.ssh/id_ed25519 as age key with fingerprint age1yqyh5aelqagrawsaula9rp3u20evcfh5xgh0g5lhvw4avrnrrdgsakylrx
/nix/store/ryjchkdl5nxifaxxa67m0yxrs2jp4dic-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/c0cvb7hbm79m8kf3x6a70gizp7a5z5xa-secrets.json': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/rp’ does not exist
warning: password file ‘/run/secrets-for-users/up’ does not exist
setting up /etc...
reloading user units for rot...
restarting sysinit-reactivation.target
warning: error(s) occurred while switching to the new configuration

My configuration of sops is just as identical as yours and I'm getting the same output.

What interesting I noticed in the errors that is it is looking for pubring.gpg in the GNUPGHOME:

It seems that SOPS can not decrypt the secret. So I started a shell with the nix-shell hook from the readme and tried to decrypt it manually with SOPS. sops secrets/default.yaml gives me:

Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
5C3960F507DD4ACC468EE93FE6C10F242BF4141B: FAILED

• | could not decrypt data key with PGP key:
  | github.com/ProtonMail/go-crypto/openpgp error: could not
  | load secring: open /home/manji/.gnupg/pubring.gpg: no such
  | file or directory; GnuPG binary error: failed to decrypt
  | sops data key with pgp: gpg: encrypted with RSA key, ID
  | 0000000000000000
  | gpg: public key decryption failed: No secret key
  | gpg: decryption failed: No secret key
  fc5624a466cdf7729a4be7e41d407079412e01bc: FAILED
• | could not decrypt data key with PGP key:
  | github.com/ProtonMail/go-crypto/openpgp error: could not
  | load secring: open /home/manji/.gnupg/pubring.gpg: no such
  | file or directory; GnuPG binary error: failed to decrypt
  | sops data key with pgp: gpg: encrypted with RSA key, ID
  | 0000000000000000
  | gpg: public key decryption failed: No secret key
  | gpg: decryption failed: No secret key
  Recovery failed because no master key was able to decrypt the file. In
  order for SOPS to recover the file, at least one key has to be successful,
  but none were.
  While the GNUPGHOME directory usually has the pubring.kbx instead which is I think a different format from .gpg which it is looking for.

I have no problems with creating and decrypting my hosts/secrets.json file (in your case secrets/default.yaml) manually as I specified my GNUPGHOME and sops.gnupg.home (sops home-manager option) to be $HOME/.local/share/.gnupg and created and imported my keys there to create the encrypted file hosts/secrets.json in my configuration.

❯ gpg --list-secret-keys --keyid-format=long
/home/rot/.local/share/.gnupg/pubring.kbx
-----------------------------------------
sec   brainpoolP256r1/92058DC9E2CF5F4C 2024-02-06 [SC]
      C13DE393EA81C0E38F1CF95392058DC9E2CF5F4C
uid                 [ultimate] Dmytro Serdiukov <[email protected]>
uid                 [ultimate] Dmytro Serdiukov <[email protected]>
ssb   brainpoolP256r1/A32FE28F0F2886A1 2024-02-06 [E]

sec   rsa4096/65AAAA33E78CB3A2 1970-01-01 [SCE]
      CD3FD5A35F94AA20A38692B965AAAA33E78CB3A2
uid                 [ unknown] root (Imported from SSH) <root@localhost>

Hope this problem will be addressed soon. 🙏

[kagehisa]

What really bugs me, is that the sops-nix generated secring.gpg works. If I use it as an GNUPGHOME for the sops-nix config it works without issues. But if sops-nix generates the secring.gpg and has to use it to decrypt it fails.
When I look at the code, I can not see any reason why it does what it does. In both cases the GNUPGHOME env is set in the go code itself. So as far as I can see there is no prior gpg initialization. But I still try to make sense about the whole nix code surrounding the go application. So far this bug thought me more about nix than most tutorials but I would really like to have it working now...

[TLATER]

Pretty sure the issue is upstream, there are a bunch of issues related to this: getsops/sops#1414

I, too, would like it to just work again, adding a new key a week or so ago broke my previously working secrets.

[Mic92]

Is this still an issue after #512 ?

This now should use gnupg on all rsa keys.

[kagehisa]

#512 Fixed it for me, thanks.