Roots Discourse

Lost .vault_pass — best way to proceed?

trellis
#1

Made a huge mistake wiping out a project folder via a shell command before realizing I didn’t store the .vault_pass backup in my Dropbox. I did save the entry it in 1Password, but that doesn’t seem to be working as I am getting the following:

ERROR! Decryption failed (no vault secrets were found that could decrypt) for /Users/art/Sites/oddfellows.tv/trellis/group_vars/all/vault.yml

I’ve been trying to wrap my head around the best way to proceed here, there are three paths I’ve tried and considering:

(1) Try to recover the .vault_pass file with a data recovery method like Disk Drill (but unfortunately after a full scan I couldn’t find the missing file). Is there another utility that could be used? Keep in mind I deleted the folder using the shell command rm -rf project_folder and I’m on a mac. I know I must have a partial match in the .vault_pass but I must have an extra/missing character.

(2) I have full access to everything, so is there a way I could use it to piece together the missing pieces that were encrypted and recreate the vault.yml files?

(3) What are my other options? Can I brute force? Do I have to start a new droplet?

Any help at all would be great, I am completely lost here and not sure how to approach this.

Thank you in advance!

#2

Do you mean that you have all the passwords and secrets other than the ones for the Droplet? I believe that Digital Ocean does let you reset the root password for your Droplet. If you did that and then allowed root access via SSH, you could re-provision the server with new passwords in your vault. I’m sure that there would be more to it than that, but that should give you enough direction? Before you try this make sure you have everything backed up if you can (i.e. database, uploads). You should have sufficient privileges via SSH to rsync the uploads or do a database export via wp-cli or something. Also, maybe see what you can do with that SSH access first (i.e. try re-provisioning with new passwords, idk if this would work, but if it did that would be more ideal that resetting your Droplet password).

I would hope that this wouldn’t work (or be that easy).

This is a longshot, but try adding a space at the end. That’s happened to me before.

For the future, you might want to try a common filesystem path for your vault pass like described in this guide (as a cross-system solution between macOS and Linux this guide is outdated now since Keybase needs to store its filesystem at a different path. Also, Zoom bought Keybase so it’s kinda sketchy now).