-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootstrap new device with encryption, diff/dry-run fails. #4155
Comments
As you identify, if you do not install your private key then chezmoi cannot decrypt encrypted files and you get the above error. You could use a |
But I guess the problem is that when you are initializing a new node. It doesn't have any configuration for chezmoi until it's first successful apply no? So I assume even if you have this hook added in your dotfiles repo, it won't exist locally until you have a successful apply. |
I can try this type of hook and report back later |
Not really. If you want to keep the secrets in your dotfiles repo safe, then there has to be something else (some kind of private key or password manager config) that you install separately from your dotfiles repo. If you didn't do this, then whoever has access to your dotfiles repo would also have access to all your secrets. |
There is a very long passphrase to decrypt the age secret file, as per the guide I linked above. But in my current setup chezmoi only puts the config file on how to decrypt in place when I run My will with this ticket was mostly to not have chezmoi hard fail when it can't decrypt a file. Just print a warning and continue diffing the rest of the files. |
For this you can use the |
After reading the error message above I see that chezmoi+age tries to access |
Describe the bug
When initializing a new device and you have encryption/age enabled with automatic decryption. You can't run
chezmoi apply --dry-run --verbose
orchezmoi diff
.It will fail at the first encrypted file.
It will try to diff a file that is encrypted, first it needs the age key file which is not created until you hit apply.
But if you want to see the changed files in your system before you hit apply, it's impossible.
To reproduce
Follow guide https://www.chezmoi.io/user-guide/frequently-asked-questions/encryption/#how-do-i-configure-chezmoi-to-encrypt-files-but-only-request-a-passphrase-the-first-time-chezmoi-init-is-run.
Add add encryped file, push to your git.
Bootstrap new device.
chezmoi init myusername chezmoi diff # <- fails here
Expected behavior
If it can't decrypt the files for the initial diff. It should just say something like "know after apply". Not hard fail. Cause now I can't see the rest of the files that are being diffed.
Output of command with the
--verbose
flagOutput of
chezmoi doctor
The text was updated successfully, but these errors were encountered: