Sops-nix - "failed to decrypt" system secrets

Hi all,

I’m trying to set up sops-nix on my Raspberry Pi running NixOS. I’m very much new to both NixOS and sops, so it’s probably/hopefully a small beginner’s mistake.

What I’m trying to do: encrypt both my system and home secrets using Sops. I’m working on the Raspberry Pi itself, so I’m not deploying anything or whatever - I think some of my confusion is due to not being able to distil down from the more advanced use cases that sops-nix supports.

To do, I’ve created a personal key using

age-keygen -o ~/.config/sops/age/keys.txt

On the Pi, I’ve got openssh enabled, so I got the public key of the machine using

nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'

I then added both public keys to my /etc/nixos/sops.yaml as such:

keys:
  - &admin_vincent age19mgxvfy3shd8ez7rxfd3ah5r04y5ytkcmz7u73gl5cf3e49mvs4qfrn2ye
  - &host_pi age1yyld38lsy9hj6z98r92w5gaph57f8ky2uc0m979tvk4u87hvlgkqsehlfy
creation_rules:
  - path_regex: secrets/machine/[^/]+\.(yaml|json|env|ini|sops)$
    key_groups:
      - age:
        - *admin_vincent
        - *host_pi
  - path_regex: secrets/vincent/[^/]+\.(yaml|json|env|ini|sops)$
    key_groups:
      - age:
        - *admin_vincent

In other words, I have a file secrets/vincent/default.yaml that contains secrets for my home directory (e.g. my Git email address), and secrets/machine/default.yaml that contains machine-wide secrets (e.g. my WIFi code).

The former seems to work, but for the latter, I’m getting the following error when I run nixos-rebuild switch:

sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint fec363215a46379e55a347206f86e5d49834a5b7
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1yyld38lsy9hj6z98r92w5gaph57f8ky2uc0m979tvk4u87hvlgkqsehlfy
/nix/store/yh54f73i8g6f9ybijgas2c0h37621xam-sops-install-secrets-0.0.1/bin/sops-install-secrets: failed to decrypt '/nix/store/0azjb46j5zjj1zrvcajmbysfwvmw7m5w-default.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecrets' failed (1)
Failed to run activate script

The sops config looks like this:

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    defaultSopsFile = ../secrets/machine/default.yaml;

    secrets."wifi_password" = { };
  };

What did I forget? Does what I’m doing even make sense?

This is because the system key is used for both the decryption of the system secrets as well as the hm secrets.

Hmm OK, thanks. So how do I fix that? Should I add *host_pi to the second key_group as well?

Either that or you change the regex that it fits both files. Or you use just one secrets file for both cases (that’s how I do it).

Hmm, I tried both options now, but unfortunately, they still result in the same error message

sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint fec363215a46379e55a347206f86e5d49834a5b7
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1yyld38lsy9hj6z98r92w5gaph57f8ky2uc0m979tvk4u87hvlgkqsehlfy
/nix/store/yh54f73i8g6f9ybijgas2c0h37621xam-sops-install-secrets-0.0.1/bin/sops-install-secrets: failed to decrypt '/nix/store/46nqs02gf45xlg9k6v76q20hrdbz6ypv-default.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecrets' failed (1)
Failed to run activate script

After changing the rules, did you reencrypt your secrets to get the new recipients added? IIRC you use sops updatekeys for this.

If after that it still doesn’t work, do you mind sharing the current .sops.yaml again?

I think that was it! After looking directly into my secrets/default.yaml, I indeed saw that under sops.age indeed only one recipient was listed. So I removed the previous secrets file and just created it again (sops updatekeys would probably have been easier, but I did that before I read your post), this time with a correct .sops.yaml, and now it finishes without errors! Thanks for your help you both