can't use mac_only_encrypted in .sops.yaml

[Simbud-7]

Hi,

a nice feature has been added : --mac-only-encrypted with cli, and it's working nice. Thanks for this !

But I can't make it work with my .sops.yaml. Here it is :

creation_rules:
  - mac_only_encrypted: true
  - path_regex: environments\/staging.*\/.*\.yaml$
    age: >-
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    encrypted_regex: "(?i)password|(?i)passwd|(?i)pwd|(?i)\\b\\w*secret\\b|(?i)\\.key$|(?i)\\.pem$|(?i)\\.cert$|(?i)\\.crt$|(?i).*token.*"

Encryption is ok, but I have no mac_only_encrypted in sops metadata section, hence changing an unencrypted value then decrypting it fails.
I've checked the structure in config/config.go and don't see what I'm doing wrong :

type creationRule struct {
	PathRegex               string `yaml:"path_regex"`
	KMS                     string
	AwsProfile              string `yaml:"aws_profile"`
	Age                     string `yaml:"age"`
	PGP                     string
	GCPKMS                  string     `yaml:"gcp_kms"`
	AzureKeyVault           string     `yaml:"azure_keyvault"`
	VaultURI                string     `yaml:"hc_vault_transit_uri"`
	KeyGroups               []keyGroup `yaml:"key_groups"`
	ShamirThreshold         int        `yaml:"shamir_threshold"`
	UnencryptedSuffix       string     `yaml:"unencrypted_suffix"`
	EncryptedSuffix         string     `yaml:"encrypted_suffix"`
	UnencryptedRegex        string     `yaml:"unencrypted_regex"`
	EncryptedRegex          string     `yaml:"encrypted_regex"`
	UnencryptedCommentRegex string     `yaml:"unencrypted_comment_regex"`
	EncryptedCommentRegex   string     `yaml:"encrypted_comment_regex"`
	MACOnlyEncrypted        bool       `yaml:"mac_only_encrypted"`
}

Thanks for any help

[felixfontein]

Are you sure that you intentionally have two creation rules, one with mac_only_encrypted: true but nothing else in it (not even keys!), and another one that contains a path regex, an age key, and encrypted_regex?

creation_rules:
  - mac_only_encrypted: true
  - path_regex: environments\/staging.*\/.*\.yaml$
    age: >-
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    encrypted_regex: "(?i)password|(?i)passwd|(?i)pwd|(?i)\\b\\w*secret\\b|(?i)\\.key$|(?i)\\.pem$|(?i)\\.cert$|(?i)\\.crt$|(?i).*token.*"

[felixfontein]

Which version of sops are you using? I tried this with 3.9.0, and it worked as expected for me.

[Simbud-7]

sops --version
sops 3.9.0 (latest)

It's working as expected using sops --mac-only-encrypted, but not with .sops.yaml
I've checked many times and can't see why it's not used with .sops.yaml

Here's what I have/do :

.sops.yaml =>

creation_rules:
  # STAGING environments
  - path_regex: environments\/staging.*\/.*\.yaml$
    mac_only_encrypted: true
    age: >-
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
    encrypted_regex: "(?i)password|(?i)passwd|(?i)pwd|(?i)\\b\\w*secret\\b|(?i)\\.key$|(?i)\\.pem$|(?i)\\.cert$|(?i)\\.crt$|(?i).*token.*"

then : sops -e -i <my_file.yaml> (whithout --mac-only-encrypted as it's set in .sops.yaml)

And here are the medata I get :

sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
XXX
XXX
XXX
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-07-01T09:40:40Z"
  mac: ENC[AES256_GCM,data:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx,type:str]
  pgp: []
  encrypted_regex: (?i)password|(?i)passwd|(?i)pwd|(?i)secret|(?i)\.key$|(?i)\.pem$|(?i)\.cert$|(?i)\.crt$|(?i).*token.*
  version: 3.9.0

I get no mac_only_ecrypted field, and changing an unencrypted value gives me a MAC error when decoding.

[Simbud-7]

The same (truncated) medata with sops -e -i --mac-only-encrypted:

  pgp: []
  encrypted_regex: (?i)password|(?i)passwd|(?i)pwd|(?i)secret|(?i)\.key$|(?i)\.pem$|(?i)\.cert$|(?i)\.crt$|(?i).*token.*
  mac_only_encrypted: true
  version: 3.9.0

[felixfontein]

I did try it with

creation_rules:
  # Everything else
  - pgp: xxx
    mac_only_encrypted: true
    encrypted_regex: "(?i)password|(?i)passwd|(?i)pwd|(?i)\\b\\w*secret\\b|(?i)\\.key$|(?i)\\.pem$|(?i)\\.cert$|(?i)\\.crt$|(?i).*token.*"

and got

hello: Welcome to SOPS! Edit this file as you please!
password: ENC[AES256_GCM,data:+4re,iv:45h2ZbBTJ2v5EnMymScJ9wTsrIg7AM3wDv6kSSEAWEQ=,tag:jbNQw3xWhZGjbNsR8HK4oQ==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-07-01T09:50:25Z"
    mac: ENC[AES256_GCM,data:TH+iRR3+D1wxO9bj3oK8uGZQCa7A0gIbxL4TBDbOgs2B+YXt6hyX1C4ruxSFb+ylH5wxBBm7qS6xWbaYjKJh8KFmgPoD8Nov9PRmxE75uQp6KxVd8rC4rb8vFws98oxrdWNafUs9wvEINd6Iyr1Y/8s5slokhNhXcv4kFwAF9ik=,iv:/nL5MbT2WTSoQRKViogkuHDYxFiwGa7pqgouLY538Lk=,tag:m608FiQ2o61FNaGjkG3GfQ==,type:str]
    pgp: ...
    encrypted_regex: (?i)password|(?i)passwd|(?i)pwd|(?i)\b\w*secret\b|(?i)\.key$|(?i)\.pem$|(?i)\.cert$|(?i)\.crt$|(?i).*token.*
    mac_only_encrypted: true
    version: 3.9.0

Maybe you have another creation rule in your .sops.yaml that gets chosen before the one you are showing? Or some other .sops.yaml taking precedence over the one you are showing?

[Simbud-7]

I had indeed another "section" that took the precedence before the wanted one :

creation_rules:
  - path_regex: environments\/.*\/*\.yaml$
    age: >- 

It's working now. Sorry for the noise, that was indeed a PEBKAC (I should have checked the AGE public key).

Thanks for your help and tests. Have a good day :)