Get the version of the GCP KMS key required to decrypt secret file

Question

Get the version of the GCP KMS key required to decrypt secret file

Tiduster opened this issue 5 months ago · 4 comments

Hi !
We are using sops to encrypt the secrets of our GCP platform.

Recently we fixed an issue in our terraform code that was renewing the KMS key in GCP every day... (thanks GCP official module).
We found we had 350 version of the key, and no idea which key was used to encrypt our secrets.

If we look in the file, we have the name of the key: resource_id: projects/PROJECT_NAME/locations/europe-west1/keyRings/sops/cryptoKeys/KEY_NAME but no information about the version.

If I disable all the old keys, sops give me the following error message:

Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
  projects/PROJECT_NAME/locations/europe-west1/keyRings/sops/cryptoKeys/KEY_NAME: FAILED
    - | Error decrypting key: googleapi: Error 400:
      | projects/PROJECT_NAME/locations/europe-west1/keyRings/sops/cryptoKeys/KEY_NAME/cryptoKeyVersions/156
      | is not enabled, current state is: DISABLED.,
      | failedPrecondition
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

We force the used of the latest key everywhere, so we can now delete all the old keys.
But I was wondering if it's possible to easily find the "cryptoKeyVersions" that was used for a specific file?

Am I missing something?

Best regards,

Answer 1 · 2024-01-26T22:01:29.000Z

Looking at the code, I'm not sure we are able to do this, since it's basically the package cloud.google.com/go/kms/apiv1 that handles all this (and potentially just hands it over to some API endpoint which takes care of it).

The error message you are quoting mentions .../cryptoKeyVersions/156, so maybe the version of the key you need is 156? I have no idea how GCP KMS identifies versions (I've never used it before), but maybe this helps :)

Answer 2 · 2024-01-29T08:29:29.000Z

Hi @felixfontein, thanks a lot for answering and for looking at the code.

Yeah the error message was just there to illustrate my question. The "156" was indeed the version used to encrypt the data, and we forced a re-encryption on the latest version.

So, it's a magic Google library, dully noted.

Best regards.

Answer 3 · 2024-06-04T12:18:09.000Z

/europe-west1/keyRings/sops/cryptoKeys/KEY_NAME but no information about the version.

If I disable all the old keys, sops give me the following error message:
How did you do this ?
Thank you

Answer 4 · 2024-06-05T07:50:19.000Z

@pierinho13 : sorry, how did I do what ?
Disable all the old keys ?

By hand, in the console, unfortunately.