-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decryption not working with pgp key derived from ssh host key #477
Comments
Ok, I can edit the secret manually with sops on the target (nixvm) when I do this:
But shouldn't steps 2 and 3 be done by sops-nix?? Edit: Migrating my setup to age works. So it seems the import part of the ssh derived key for gpg is the issue. Any idea where I could look next to fix this? Edit2:
With this nixos-rebuild works without errors and the secret is available. But I would really like to avoid this setup, since the manual step defeats the purpose of sops-nix for my use case. |
Found the problem.
This left the generated directory with the generated Then I created a nix-shell just like before with Which only leaves the call to
It seems it is unable to use the generated |
I'm having just almost the same setup as you in my NixOS flake using
My configuration of What interesting I noticed in the errors that is it is looking for
I have no problems with creating and decrypting my
Hope this problem will be addressed soon. 🙏 |
What really bugs me, is that the sops-nix generated |
Pretty sure the issue is upstream, there are a bunch of issues related to this: getsops/sops#1414 I, too, would like it to just work again, adding a new key a week or so ago broke my previously working secrets. |
Is this still an issue after #512 ? This now should use gnupg on all rsa keys. |
#512 Fixed it for me, thanks. |
I,m not sure if I am missing something or if there realy is an issue.
I try to decrypt the password for my user during a
nixos-rebuild switch
but I get this error instead:It seems that SOPS can not decrypt the secret. So I started a shell with the
nix-shell
hook from the readme and tried to decrypt it manually with SOPS.sops secrets/default.yaml
gives me:GPG has the needed public keys but it seems the private key for the machine is missing:
gpg --list-keys
:Am I missing something? Do I manually need to import the machines private key? Since the public key got generated with ssh-to-pgp I thought this would not be neccessary.
This is my
.sops.yaml
:The sops nix integration into my flake and the configuration was all done as described in the documentation.
Flake inputs:
Configuration part of the Flake:
The configuration part:
I really don't know where to look next, does anybody have an idea?
The text was updated successfully, but these errors were encountered: