Difference between revisions of "Sops --decrypt"
Jump to navigation
Jump to search
(→Errors) |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
[[sops]] --decrypt /path/to/your/file/to/decrypt.yaml | [[sops]] --decrypt /path/to/your/file/to/decrypt.yaml | ||
[[sops --decrypt --in-place]] /path/to/your/file/to/decrypt.yaml | [[sops --decrypt --in-place]] /path/to/your/file/to/decrypt.yaml | ||
| − | + | [[sops --encrypt --gcp-kms]] --in-place | |
sops --decrypt contrib/helm/your-projects/secrets_prod.yaml | sops --decrypt contrib/helm/your-projects/secrets_prod.yaml | ||
| Line 15: | Line 15: | ||
To edit file directly in your text editor: | To edit file directly in your text editor: | ||
sops contrib/helm/your-projects/secrets_prod.yaml | sops contrib/helm/your-projects/secrets_prod.yaml | ||
| + | [[--ignore-mac]] | ||
| + | |||
| Line 24: | Line 26: | ||
Group 0: FAILED | Group 0: FAILED | ||
projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED | projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED | ||
| − | - | Error decrypting key: googleapi: Error 403: Permission | + | - | Error decrypting key: [[googleapi: Error 403: Permission]] |
| 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource | | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource | ||
| 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key' | | 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key' | ||
| Line 33: | Line 35: | ||
Solution: [[Cloud KMS CryptoKey Encrypter/Decrypter]] | Solution: [[Cloud KMS CryptoKey Encrypter/Decrypter]] | ||
| + | |||
| + | Failed to get the [[data key]] required to decrypt the SOPS file. | ||
| + | Group 0: FAILED | ||
| + | projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED | ||
| + | - | Error decrypting key: Post | ||
| + | | https://cloudkms.googleapis.com/v1/projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key:decrypt?alt=json&prettyPrint=false: | ||
| + | | [[oauth2: cannot fetch token: Post]] | ||
| + | | https://oauth2.googleapis.com/token: [[net/http: TLS handshake]] | ||
| + | | timeout | ||
| + | Recovery failed because [[no master key was able to decrypt the file]]. In | ||
| + | order for SOPS to recover the file, at least one key has to be successful, | ||
| + | but none were. | ||
| + | |||
| + | Solution: review your [[SOPS_GCP_KMS_IDS]] environment variable or [[--gcp-kms]] value | ||
| + | |||
| + | |||
| + | |||
| + | [[MAC mismatch]]. File has <signature>, computed <different signature> | ||
== Related == | == Related == | ||
| Line 39: | Line 59: | ||
* [[GCP KMS]] | * [[GCP KMS]] | ||
* [[Decrypt]] | * [[Decrypt]] | ||
| + | * <code>[[SOPS_GCP_KMS_IDS]]</code> [[environment variable]] | ||
== See also == | == See also == | ||
| + | * {{sops --decrypt}} | ||
* {{sops}} | * {{sops}} | ||
* {{SOPS}} | * {{SOPS}} | ||
[[Category:Secrets]] | [[Category:Secrets]] | ||
Latest revision as of 09:10, 24 November 2022
--decrypt, -d
sops --decrypt /path/to/your/file/to/decrypt.yaml sops --decrypt --in-place /path/to/your/file/to/decrypt.yaml sops --encrypt --gcp-kms --in-place
sops --decrypt contrib/helm/your-projects/secrets_prod.yaml (no output) File will be unencrypted and replated.
To edit file directly in your text editor:
sops contrib/helm/your-projects/secrets_prod.yaml --ignore-mac
Errors[edit]
sops -d contrib/helm/your-aplication/secrets_prod.yaml > /tmp/decrypted_secrets_prod.yaml Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED - | Error decrypting key: googleapi: Error 403: Permission | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource | 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key' | (or it may not exist)., forbidden Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were. Solution: Cloud KMS CryptoKey Encrypter/Decrypter
Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED - | Error decrypting key: Post | https://cloudkms.googleapis.com/v1/projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key:decrypt?alt=json&prettyPrint=false: | oauth2: cannot fetch token: Post | https://oauth2.googleapis.com/token: net/http: TLS handshake | timeout Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were. Solution: review your SOPS_GCP_KMS_IDS environment variable or --gcp-kms value
MAC mismatch. File has <signature>, computed <different signature>
Related[edit]
See also[edit]
sops --decrypt- SOPS,
sops | sops -d | sops -e | sops exec-env | sops exec-file | sops publish | sops keyservice | sops groups | sops updatekeys | sops --help - SOPS: Secrets OPerationS,
sops, GCP,ENC[AES256_GCM, sops-secrets-operator
Advertising:
