How to fix Failed to get the data key required to decrypt the SOPS file?



Here in this article, I have documented the steps which are needed for fixing the issue Failed to get the data key required to decrypt the SOPS file. Group 0 FAILED

Here are the instances where I faced this issue -

  1. How to fix when you are working with Helm Chart Secretes
  2. How to fix when you are working on Google cloud

1. How to fix when you are working with Helm Chart Secretes?

I had this issue when I was trying to view the secrets.yaml while I was working with the helm chart.

So here is the helm secrets command which I was trying to use -

1helm secrets view secrets.yaml

As soon as I executed the above command I got the following issue -

1Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED 3BD000C742FD2AAA8A01F5396499CA072F1FF390: FAILED - | could not decrypt data key with PGP key: | golang.org/x/crypto/openpgp error: Could not load securing: | open /home/vagrant/.gnupg/secring.gpg: no such file or | directory; GPG binary error: exit status 2 Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were. Error: plugin "secrets" exited with error

There are a couple of ways to fix this issue -

1.1 Export the GPG_TTY variable

To fix this issue you need to add the following environment variables.

Run the following command -

1GPG_TTY=$(tty)

Export the GPG_TTY variable -

1export GPG_TTY

1.2 Add GPG_TTY variable to your .bashrc

Adding to .bashrc seems to be a permanent solution to this problem because environment variables are a little fragile and you might mess up the GPG_TTY with other environment variables and which will be very difficult for you to debug and fix.

To make a permanent fix for this problem simply add or append the following lines to .bashrc

1GPG_TTY=$(tty)
2export GPG_TTY

Why we need to export GPG_TTY=$(tty)?

The reason is gpg-agent is a daemon process that is used for managing the secret keys.

gpg-agent works as the backend for gpg and gpgsm. So suppose you have generated a key using gpg --gen-key and you are going to use those keys in your application(Kubernetes, helm chart, Linux bash script …etc), so eventually you will be needing gpg-agent for handling the keys and that is the reason why you need to tell gpg about the name of the terminal connected to standard input


2. How to fix it when you are working on Google cloud?

I had a Helm chart installed on one of my Virtual Machine running on Google Cloud. For handling the secrets I was using the helm chart secret plugin along with gpg.

But when tried running helm secrets enc secrets.yml I was thrown with the following exception -

1Could not generate data key: [failed to encrypt new data key with master key "projects/myproject-223421/locations/global/keyRings/myKeyRing/cryptoKeys/myKey": Failed to call GCP KMS encryption service: googleapi: Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/myproject-223421/locations/global/keyRings/myKeyRing/cryptoKeys/myKey' (or it may not exist)., forbidden

Here is my sops.yaml configuration file

1creation_rules:
2- gcp_kms: projects/rwagh-223421/locations/global/keyRings/lotr/cryptoKeys/cdlkey

How i fixed it?

For fixing the issue I have to use the service account instead of application-default

1gcloud auth login  

Before this, I was using the following for authentication -

1gcloud auth application-default login

Read More -

  1. Helm chart - How to Add/Install plugins
  2. Getting started with Helm Chart
  3. Helm chart - WordPress Installation with MariaDB on Kubernetes
  4. Helm chart - Build you first helm chart with Spring Boot
  5. Helm Chart - Convert Kubernetes YAML into Helm Chart YAML
  6. Helm Chart - Pass environment variables
  7. Helm Chart - Plugin
  8. Helm Chart - Dry Run Install
  9. Helm Chart - How to create multiple values files inside helm chart?