Skip to content

Bug: upgrade to v3.10.* causes "could not create encrypted SSH identity: RSA key size is too small" error #1843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ranger-X opened this issue Apr 16, 2025 · 3 comments
Open

Bug: upgrade to v3.10.* causes "could not create encrypted SSH identity: RSA key size is too small" error #1843

Ranger-X opened this issue Apr 16, 2025 · 3 comments
Labels
area/keyservice keyservice/age

Comments

@Ranger-X
Copy link

I've upgraded sops binary from v3.8.1 to v3.10.2. Without changing any encrypted file, my decrypt attempts started failing due to this one error:

$ SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml

Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  age1gzjg67ckfw0gqa8y60dq9uxcmr2hgjwlzpu55wyu9qjuq4h54yyqw3jf7t: FAILED
    - | failed to load age identities: failed to get SSH identity:
      | could not create encrypted SSH identity: RSA key size is too
      | small

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

After some investigating, I realized that the error was due to my very old SSH-RSA key. But files encrypted using age-keys, not SSH.

It seems that this behavior is caused by this PR, which try to parse SSH key even it is NOT NEEDED for encryption/decryption.

As a workaround I suggest something like:

SOPS_AGE_SSH_PRIVATE_KEY_FILE="$HOME/.ssh/my_ed25519" SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/my-prod-keys.txt" sops -d my-prod-shared-secrets.yaml

Or just create new ~/.ssh/id_ed25519 SSH key (ssh-keygen -t ed25519 -C "[email protected]") and you can omit SOPS_AGE_SSH_PRIVATE_KEY_FILE in command above.
@felixfontein
Copy link
Contributor

SSH keys can be used for AGE (which is what 3.10 now supports).

@Ranger-X
Copy link
Author

Ranger-X commented Apr 17, 2025
edited
Loading

Yes, I know it and it's a great feature! 😃 But in my opinion SSH key should NOT try to be parsed each time when AGE encryption/decryption event occurs, because the file may be encrypted with a non-SSH AGE key (as in my case).

And that's why I didn't expect that in addition to SOPS_AGE_KEY_FILE now I also need to provide SOPS_AGE_SSH_PRIVATE_KEY_FILE (with valid key: non-RSA or RSA with keysize 4096+) even if SSH key is not used for my encrypted file 😇

@felixfontein
Copy link
Contributor

It loads (and has to load) all keys that can be used for age, which includes the SSH key. If there isn't an SSH key it should ignore it.

Whether it should fail completely if it cannot parse all potential keys, that's a different question...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/keyservice keyservice/age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ranger-X @felixfontein