How does SealedSecret know which encryption cert to use for unsealing a secret?

[chinmaya-n]

How does it know? Or does it just brute force and cycle through all the encryption certs until one successfully unseals it?

[tewfik-ghariani]

At the moment, all possible private keys are being tried and there is a ToDo item to change that

// TODO(mkm): use the key fingerprint encoded in ciphertext (if present) instead of trying all the possible keys

sealed-secrets/pkg/crypto/crypto.go

Line 76 in bb942f1

func HybridDecrypt(rnd io.Reader, privKeys map[string]*rsa.PrivateKey, ciphertext, label []byte) ([]byte, error) {

That HybridDecrypt function is called by the Unseal fct:

sealed-secrets/pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go

Line 278 in bb942f1

plaintext, err := crypto.HybridDecrypt(rand.Reader, privKeys, valueBytes, label)

And the Unseal function is called after looping through all private keys in the key registry:

sealed-secrets/pkg/controller/controller.go

Line 499 in bb942f1

func attemptUnseal(ss *ssv1alpha1.SealedSecret, keyRegistry *KeyRegistry) (*corev1.Secret, error) {

[mkmik]

yeah ideally the encyrpted data should contain the id of the keypair used to encrypt so that it can be used to quickly find the right one to decrypt (and also to provide useful troubleshooting answers in case the key is not found!).

There should be an open task to do it. All we need is somebody with some time to implement it. Feel free to tag me for a review