With GPG 2.x and sops , one extra step seems to be required
jizusun opened this issue · comments
First I have to say, I really really love the project, since I work with Kubernetes almost everyday at work but I never thought about managing my personal servers in this way 😄
Today I'm setting up the gpg
and sops
staff with my Chromebook (crosh shell
or chronos
) and crew
installed gnupg
❯ gpg --version
gpg (GnuPG) 2.2.7
libgcrypt 1.8.6
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/chronos/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
But I got this error message
❯ sops -d secrets/foobar.yml
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
30E3BCD7A91E91F6: FAILED
- | could not decrypt data key with PGP key:
| golang.org/x/crypto/openpgp error: Could not load secring:
| open /home/chronos/user/.gnupg/secring.gpg: no such file or
| directory; GPG binary error: exit status 2
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
After searching a little bit I found this
getsops/sops#304 (comment)
And i guess this extra step seems to be required for gnupg 2.x
GPG_TTY=$(tty)
export GPG_TTY
Since the README
in sops
doesn't have this information, I'm not sure if we need to add it in this repo to help gpg
beginners like me to get it up and running more easily.
Thanks again for this great project!
Best regards,
Jizu
Thanks for reporting, Going to add it to the README
👍
done