bootstrap new device with encryption, diff/dry-run fails.

[Raboo]

Describe the bug

When initializing a new device and you have encryption/age enabled with automatic decryption. You can't run chezmoi apply --dry-run --verbose or chezmoi diff.
It will fail at the first encrypted file.

It will try to diff a file that is encrypted, first it needs the age key file which is not created until you hit apply.

age: error: reading "/Users/raboo/.config/chezmoi/key.txt": failed to open file: open /Users/raboo/.config/chezmoi/key.txt: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chezmoi: .config/tokens.profile: exit status 1

But if you want to see the changed files in your system before you hit apply, it's impossible.

To reproduce

Follow guide https://www.chezmoi.io/user-guide/frequently-asked-questions/encryption/#how-do-i-configure-chezmoi-to-encrypt-files-but-only-request-a-passphrase-the-first-time-chezmoi-init-is-run.

Add add encryped file, push to your git.
Bootstrap new device.

chezmoi init myusername
chezmoi diff # <- fails here

Expected behavior

If it can't decrypt the files for the initial diff. It should just say something like "know after apply". Not hard fail. Cause now I can't see the rest of the files that are being diffed.

Output of command with the --verbose flag

$ chezmoi --verbose diff
--- bunch of diff data ---

age: error: reading "/Users/raboo/.config/chezmoi/key.txt": failed to open file: open /Users/raboo/.config/chezmoi/key.txt: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chezmoi: .config/tokens.profile: exit status 1

Output of chezmoi doctor

$ chezmoi doctor
RESULT   CHECK                       MESSAGE
ok       version                     v2.56.0, commit Homebrew, built at 2024-12-14T06:39:35Z, built by Homebrew
ok       latest-version              v2.56.0
ok       os-arch                     darwin/arm64
ok       uname                       Darwin PSE-MBP-D6CRFVNF4Y 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:00:32 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6030 arm64 arm Darwin
ok       go-version                  go1.23.4 (gc)
ok       executable                  /opt/homebrew/bin/chezmoi
ok       upgrade-method              brew-upgrade
ok       config-file                 ~/.config/chezmoi/chezmoi.toml, last modified 2024-12-23T13:18:03+01:00
ok       source-dir                  ~/.local/share/chezmoi is a git working tree (clean)
ok       suspicious-entries          no suspicious entries
ok       working-tree                ~/.local/share/chezmoi is a git working tree (clean)
ok       dest-dir                    ~ is a directory
ok       umask                       022
ok       cd-command                  found /bin/bash
ok       cd-args                     /bin/bash
info     diff-command                not set
ok       edit-command                found /usr/bin/vim
ok       edit-args                   /usr/bin/vim
ok       git-command                 found /opt/homebrew/bin/git, version 2.46.2
ok       merge-command               found /usr/bin/vimdiff
ok       shell-command               found /bin/bash
ok       shell-args                  /bin/bash
ok       age-command                 found /opt/homebrew/bin/age, version 1.2.1
ok       gpg-command                 found /opt/homebrew/bin/gpg, version 2.4.5
info     pinentry-command            not set
info     1password-command           op not found in $PATH
info     bitwarden-command           bw not found in $PATH
info     bitwarden-secrets-command   bws not found in $PATH
info     dashlane-command            dcli not found in $PATH
info     doppler-command             doppler not found in $PATH
info     gopass-command              gopass not found in $PATH
info     keepassxc-command           keepassxc-cli not found in $PATH
info     keepassxc-db                not set
info     keeper-command              keeper not found in $PATH
info     lastpass-command            lpass not found in $PATH
info     pass-command                pass not found in $PATH
info     passhole-command            ph not found in $PATH
info     rbw-command                 rbw not found in $PATH
info     vault-command               vault not found in $PATH
info     vlt-command                 vlt not found in $PATH
info     secret-command              not set

[twpayne]

As you identify, if you do not install your private key then chezmoi cannot decrypt encrypted files and you get the above error.

You could use a read-source-state.pre hook to install your private key instead of whatever mechanism you're currently using. chezmoi runs hooks even in --dry-run mode.

[Raboo]

But I guess the problem is that when you are initializing a new node. It doesn't have any configuration for chezmoi until it's first successful apply no? So I assume even if you have this hook added in your dotfiles repo, it won't exist locally until you have a successful apply.
A real Schrodinger problem.

[Raboo]

I can try this type of hook and report back later

[twpayne]

But I guess the problem is that when you are initializing a new node. It doesn't have any configuration for chezmoi until it's first successful apply no? So I assume even if you have this hook added in your dotfiles repo, it won't exist locally until you have a successful apply.
A real Schrodinger problem.

Not really. If you want to keep the secrets in your dotfiles repo safe, then there has to be something else (some kind of private key or password manager config) that you install separately from your dotfiles repo. If you didn't do this, then whoever has access to your dotfiles repo would also have access to all your secrets.

[Raboo]

There is a very long passphrase to decrypt the age secret file, as per the guide I linked above. But in my current setup chezmoi only puts the config file on how to decrypt in place when I run apply, not when I run diff. I will try the read-source-state.pre hook, but as I said, I assume it will suffer from the same problem, i.e. the configuration on how to decrypted secred file won't exist until apply.

My will with this ticket was mostly to not have chezmoi hard fail when it can't decrypt a file. Just print a warning and continue diffing the rest of the files.

[twpayne]

My will with this ticket was mostly to not have chezmoi hard fail when it can't decrypt a file. Just print a warning and continue diffing the rest of the files.

For this you can use the -k / --keep-going flag.

[Raboo]

After reading the error message above I see that chezmoi+age tries to access /Users/raboo/.config/chezmoi/key.tx. That means the config is applied already. So the pre hook might actually solve the problem. But I don't have the time to test it right now.