I was able to edit the file the first time when it didn‘t need to be decrypted before, but now I can‘t because sops doesn‘t look for the ssh host key.
The one secret I‘ve set is rolled out fine at startup or rebuild, but I get this error when trying to edit my secrets.
- | failed to load age identities. Did not find keys in
| locations 'SOPS_AGE_SSH_PRIVATE_KEY_FILE',
| 'SOPS_AGE_SSH_PRIVATE_KEY_CMD', '/root/.ssh/id_ed25519',
| '/root/.ssh/id_rsa', 'SOPS_AGE_KEY', 'SOPS_AGE_KEY_FILE',
| 'SOPS_AGE_KEY_CMD', and '/root/.config/sops/age/keys.txt'.
It should also look at /etc/ssh/ssh_host_ed25519_key .
I could set “SOPS_AGE_SSH_PRIVATE_KEY_FILE” but I‘d like to avoid that.
Add the pubkey of a user SSH key to the yaml so it can be keyed against multiple keys. You can do your user if you don’t want to have to use sudi to modify secrets.
You fundamentally need a key intended for editing the sops secrets. Your client’s ssh key can be used with key forwarding, I believe.
That said, the intent is to develop your server’s configuration on another host, where you have access to a key with permissions to encrypt/decrypt those secrets, and to push the resulting sops file to the server, which can decrypt it later.
You can use the --target-host flag, or a tool like deploy-rs, to push your configuration to a remote server.
Well I went with the approach to set SOPS_AGE_KEY_FILE in my HM config and edit with “sudo -E sops secrets.yaml”.
My current workflow works around local rebuilds on the servers.