Difference between revisions of "Sops --decrypt"

From wikieduonline
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
  [[sops]] --decrypt /path/to/your/file/to/decrypt.yaml
 
  [[sops]] --decrypt /path/to/your/file/to/decrypt.yaml
 
  [[sops --decrypt --in-place]] /path/to/your/file/to/decrypt.yaml
 
  [[sops --decrypt --in-place]] /path/to/your/file/to/decrypt.yaml
 
+
[[sops --encrypt --gcp-kms]] --in-place
  
 
  sops --decrypt  contrib/helm/your-projects/secrets_prod.yaml  
 
  sops --decrypt  contrib/helm/your-projects/secrets_prod.yaml  
Line 26: Line 26:
 
  Group 0: FAILED
 
  Group 0: FAILED
 
   projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED
 
   projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED
     - | Error decrypting key: googleapi: Error 403: Permission
+
     - | Error decrypting key: [[googleapi: Error 403: Permission]]
 
       | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource
 
       | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource
 
       | 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key'
 
       | 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key'
Line 36: Line 36:
  
  
  MAC mismatch. File has <signature>, computed <different signature>
+
  Failed to get the [[data key]] required to decrypt the SOPS file.
 +
Group 0: FAILED
 +
  projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED
 +
    - | Error decrypting key: Post
 +
      | https://cloudkms.googleapis.com/v1/projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key:decrypt?alt=json&prettyPrint=false:
 +
      | [[oauth2: cannot fetch token: Post]]
 +
      | https://oauth2.googleapis.com/token: [[net/http: TLS handshake]]
 +
      | timeout
 +
Recovery failed because [[no master key was able to decrypt the file]]. In
 +
order for SOPS to recover the file, at least one key has to be successful,
 +
but none were.
 +
 +
Solution: review your [[SOPS_GCP_KMS_IDS]] environment variable or [[--gcp-kms]] value
 +
 
  
  
 +
[[MAC mismatch]]. File has <signature>, computed <different signature>
  
 
== Related ==
 
== Related ==
Line 45: Line 59:
 
* [[GCP KMS]]
 
* [[GCP KMS]]
 
* [[Decrypt]]
 
* [[Decrypt]]
 +
* <code>[[SOPS_GCP_KMS_IDS]]</code> [[environment variable]]
  
 
== See also ==
 
== See also ==
 +
* {{sops --decrypt}}
 
* {{sops}}
 
* {{sops}}
 
* {{SOPS}}
 
* {{SOPS}}
  
 
[[Category:Secrets]]
 
[[Category:Secrets]]

Latest revision as of 09:10, 24 November 2022

--decrypt, -d 
sops --decrypt /path/to/your/file/to/decrypt.yaml
sops --decrypt --in-place /path/to/your/file/to/decrypt.yaml
sops --encrypt --gcp-kms --in-place
sops --decrypt  contrib/helm/your-projects/secrets_prod.yaml 
(no output)
File will be unencrypted and replated.


To edit file directly in your text editor:

sops contrib/helm/your-projects/secrets_prod.yaml 
--ignore-mac



Errors[edit]

sops -d contrib/helm/your-aplication/secrets_prod.yaml > /tmp/decrypted_secrets_prod.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED
    - | Error decrypting key: googleapi: Error 403: Permission
      | 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource
      | 'projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key'
      | (or it may not exist)., forbidden

Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were.

Solution: Cloud KMS CryptoKey Encrypter/Decrypter


Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
  projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key: FAILED
    - | Error decrypting key: Post
      | https://cloudkms.googleapis.com/v1/projects/your-project/locations/global/keyRings/sops/cryptoKeys/sops-encryption-key:decrypt?alt=json&prettyPrint=false:
      | oauth2: cannot fetch token: Post
      | https://oauth2.googleapis.com/token: net/http: TLS handshake
      | timeout
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

Solution: review your SOPS_GCP_KMS_IDS environment variable or --gcp-kms value


MAC mismatch. File has <signature>, computed <different signature>

Related[edit]

See also[edit]

Advertising: