Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptography.exceptions.InvalidTag #36

Open
jsyrjala opened this issue Sep 18, 2019 · 1 comment
Open

cryptography.exceptions.InvalidTag #36

jsyrjala opened this issue Sep 18, 2019 · 1 comment
Labels
bug python

Comments

@jsyrjala
Copy link
Member

It is possible that key lookup fails with this kind of error.

Maybe related to overwriting existing key with very old vault version.

vault -l keyname
Traceback (most recent call last):
 File “/usr/local/bin/vault”, line 10, in <module>
   sys.exit(main())
 File “/usr/local/lib/python3.7/site-packages/n_vault/cli.py”, line 148, in main
   data = vlt.lookup(args.lookup)
 File “/usr/local/lib/python3.7/site-packages/n_vault/vault.py”, line 590, in lookup
   return AESGCM(self.direct_decrypt(datakey)).decrypt(b64decode(meta[‘nonce’]), ciphertext, meta_add)
 File “/usr/local/lib/python3.7/site-packages/cryptography/hazmat/primitives/ciphers/aead.py”, line 180, in decrypt
   backend, self, nonce, data, associated_data, 16
 File “/usr/local/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/aead.py”, line 157, in _decrypt
   raise InvalidTag
cryptography.exceptions.InvalidTag
@jsyrjala
Copy link
Member Author

If you are sure there is no funky business going on, you can recrypt the payload like this:

aws s3 rm s3://vault-bucket/key-name.aesgcm.encrypted
vault -c key-name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug python
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsyrjala @psiniemi