aboutsummaryrefslogblamecommitdiff
path: root/vault
blob: 5f0094ff3a60afaad7bf6d9cb5e31b059a9d7dc1 (plain) (tree) 
85007db

























































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

























































































































                                                                                                                            
#!/bin/sh
#
# Utility to manage encrypted files using OpenSSL's pbkdf2.

set -eu

PROGNAME=vault
USAGE="${PROGNAME} <check|create|decrypt|edit|encrypt|reencrypt|> FILE..."
BOXCONF_ROOT=$(dirname "$(readlink -f "$0")")

usage(){
  printf 'usage: %s\n' "$USAGE" 2>&1
  exit 2
}

vault_check(){
  while [ $# -gt 0 ]; do
    if [ ! -f "$1" ]; then
      warn "file does not exist: ${1}"
    elif _boxconf_is_encrypted "$1"; then
      echo "${1} is encrypted"
    else
      echo "${1} is not encrypted"
    fi
    shift
  done
}

vault_create(){
  _boxconf_get_vault_password
  if [ -e "$1" ]; then
    die "file already exists: ${1}"
  else
    "$EDITOR" "$TMPFILE"
    PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
  fi
}

vault_decrypt(){
  _boxconf_get_vault_password
  while [ $# -gt 0 ]; do
    if [ ! -f "$1" ]; then
      warn "file does not exist: ${1}"
    elif ! _boxconf_is_encrypted "$1"; then
      warn "file is not encrypted: ${1}"
    else
      PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
    fi
    shift
  done
}

vault_edit(){
  _boxconf_get_vault_password
  while [ $# -gt 0 ]; do
    if [ ! -f "$1" ]; then
      warn "file does not exist: ${1}"
    elif ! _boxconf_is_encrypted "$1"; then
      warn "file is not encrypted: ${1}"
    else
      PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
      "$EDITOR" "$TMPFILE"
      PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
    fi
    shift
  done
}

vault_encrypt(){
  _boxconf_get_vault_password
  while [ $# -gt 0 ]; do
    if [ ! -f "$1" ]; then
      warn "file does not exist: ${1}"
    elif _boxconf_is_encrypted "$1"; then
      warn "file is already encrypted, refusing: ${1}"
    else
      PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
      cp "$TMPFILE" "$1"
    fi
    shift
  done
}

vault_reencrypt(){
  _boxconf_get_vault_password

  [ -n "${VAULT_NEW_PASSWORD:-}" ] \
    || _boxconf_read_password 'Enter new vault password: ' VAULT_NEW_PASSWORD

  while [ $# -gt 0 ]; do
    if [ ! -f "$1" ]; then
      warn "file does not exist: ${1}"
    elif ! _boxconf_is_encrypted "$1"; then
      warn "file is not encrypted: ${1}"
    else
      PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
      PASS=$VAULT_NEW_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2
    fi
    shift
  done
}

[ $# -gt 1 ] || usage
action=$1; shift

for _bc_lib in "${BOXCONF_ROOT}/lib"/*; do
  . "$_bc_lib"
done

TMPFILE=$(mktemp)
trap 'rm -f "$TMPFILE"' HUP INT QUIT TERM EXIT

case $action in
  check)     vault_check "$@" ;;
  create)    vault_create "$@" ;;
  decrypt)   vault_decrypt "$@" ;;
  edit)      vault_edit "$@" ;;
  encrypt)   vault_encrypt "$@" ;;
  reencrypt) vault_reencrypt "$@" ;;
  *)         usage ;;
esac
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-27 02:43:04 -0500