Bug: upgrade to v3.10.* causes "could not create encrypted SSH identity: RSA key size is too small" error

[Ranger-X]

I've upgraded sops binary from v3.8.1 to v3.10.2. Without changing any encrypted file, my decrypt attempts started failing due to this one error:

$ SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1gzjg67ckfw0gqa8y60dq9uxcmr2hgjwlzpu55wyu9qjuq4h54yyqw3jf7t: FAILED
    - | failed to load age identities: failed to get SSH identity:
      | could not create encrypted SSH identity: RSA key size is too
      | small

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

After some investigating, I realized that the error was due to my very old SSH-RSA key. But files encrypted using age-keys, not SSH.

It seems that this behavior is caused by this PR, which try to parse SSH key even it is NOT NEEDED for encryption/decryption.

As a workaround I suggest something like:

SOPS_AGE_SSH_PRIVATE_KEY_FILE="$HOME/.ssh/my_ed25519" SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml

Or just create new ~/.ssh/id_ed25519 SSH key (ssh-keygen -t ed25519 -C "your_email@example.com") and you can omit SOPS_AGE_SSH_PRIVATE_KEY_FILE in command above.

[felixfontein]

SSH keys can be used for AGE (which is what 3.10 now supports).

[Ranger-X]

Yes, I know it and it's a great feature! 😃 But in my opinion SSH key should NOT try to be parsed each time when AGE encryption/decryption event occurs, because the file may be encrypted with a non-SSH AGE key (as in my case).

And that's why I didn't expect that in addition to SOPS_AGE_KEY_FILE now I also need to provide SOPS_AGE_SSH_PRIVATE_KEY_FILE (with valid key: non-RSA or RSA with keysize 4096+) even if SSH key is not used for my encrypted file 😇

[felixfontein]

It loads (and has to load) all keys that can be used for age, which includes the SSH key. If there isn't an SSH key it should ignore it.

Whether it should fail completely if it cannot parse all potential keys, that's a different question...

[provos]

This is a very odd user experience though:

$ age-keygen -o ~/.config/sops/age/keys.txt
Public key: age12ky56grvnjx4teeud7jnt6h5ehsa4xcav43hd8exuyks9zveuaksfkj9wp
$ sops --encrypt --in-place secrets/development.container.env
$ sops secrets/development.container.env
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
age12ky56grvnjx4teeud7jnt6h5ehsa4xcav43hd8exuyks9zveuaksfkj9wp: FAILED
- | failed to load age identities: failed to get SSH identity:
| could not create encrypted SSH identity: RSA key size is too
| small

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

[provos]

To make sops work, I have to move the .ssh directory

$ mv ~/.ssh ~/.ssh.bak

After that, it's happy again.

PS: There is a 20 year old SSH key in there - that's causing the issue

[hahatulk]

this also happens if you name your key wrong, etc naming ECDSA key id_rsa instead of id_ecdsa. It tries to parse ecdsa as rsa and crashes

[strauss115]

To make sops work, I have to move the .ssh directory

$ mv ~/.ssh ~/.ssh.bak

After that, it's happy again.

PS: There is a 20 year old SSH key in there - that's causing the issue

Thanks for the hint. That resolved my issue as well. sops failed to load a not needed encrypted key in the .ssh folder and did not try to load the key which I provided via environment variable afterwards. I.e. decryption always failed.

[felixfontein]

I created a PR to fix this: #1898.