From 85007db580ccf662a45cf2aaeb83518ad2ddb85a Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Thu, 11 Jul 2024 10:55:45 -0400 Subject: initial boxconf scaffolding --- vault | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100755 vault (limited to 'vault') diff --git a/vault b/vault new file mode 100755 index 0000000..5f0094f --- /dev/null +++ b/vault @@ -0,0 +1,121 @@ +#!/bin/sh +# +# Utility to manage encrypted files using OpenSSL's pbkdf2. + +set -eu + +PROGNAME=vault +USAGE="${PROGNAME} FILE..." +BOXCONF_ROOT=$(dirname "$(readlink -f "$0")") + +usage(){ + printf 'usage: %s\n' "$USAGE" 2>&1 + exit 2 +} + +vault_check(){ + while [ $# -gt 0 ]; do + if [ ! -f "$1" ]; then + warn "file does not exist: ${1}" + elif _boxconf_is_encrypted "$1"; then + echo "${1} is encrypted" + else + echo "${1} is not encrypted" + fi + shift + done +} + +vault_create(){ + _boxconf_get_vault_password + if [ -e "$1" ]; then + die "file already exists: ${1}" + else + "$EDITOR" "$TMPFILE" + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + fi +} + +vault_decrypt(){ + _boxconf_get_vault_password + while [ $# -gt 0 ]; do + if [ ! -f "$1" ]; then + warn "file does not exist: ${1}" + elif ! _boxconf_is_encrypted "$1"; then + warn "file is not encrypted: ${1}" + else + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + fi + shift + done +} + +vault_edit(){ + _boxconf_get_vault_password + while [ $# -gt 0 ]; do + if [ ! -f "$1" ]; then + warn "file does not exist: ${1}" + elif ! _boxconf_is_encrypted "$1"; then + warn "file is not encrypted: ${1}" + else + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + "$EDITOR" "$TMPFILE" + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + fi + shift + done +} + +vault_encrypt(){ + _boxconf_get_vault_password + while [ $# -gt 0 ]; do + if [ ! -f "$1" ]; then + warn "file does not exist: ${1}" + elif _boxconf_is_encrypted "$1"; then + warn "file is already encrypted, refusing: ${1}" + else + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + cp "$TMPFILE" "$1" + fi + shift + done +} + +vault_reencrypt(){ + _boxconf_get_vault_password + + [ -n "${VAULT_NEW_PASSWORD:-}" ] \ + || _boxconf_read_password 'Enter new vault password: ' VAULT_NEW_PASSWORD + + while [ $# -gt 0 ]; do + if [ ! -f "$1" ]; then + warn "file does not exist: ${1}" + elif ! _boxconf_is_encrypted "$1"; then + warn "file is not encrypted: ${1}" + else + PASS=$BOXCONF_VAULT_PASSWORD openssl enc -in "$1" -out "$TMPFILE" -d "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + PASS=$VAULT_NEW_PASSWORD openssl enc -in "$TMPFILE" -out "$1" -e "-${BOXCONF_VAULT_CIPHER}" -pass env:PASS -pbkdf2 + fi + shift + done +} + +[ $# -gt 1 ] || usage +action=$1; shift + +for _bc_lib in "${BOXCONF_ROOT}/lib"/*; do + . "$_bc_lib" +done + +TMPFILE=$(mktemp) +trap 'rm -f "$TMPFILE"' HUP INT QUIT TERM EXIT + +case $action in + check) vault_check "$@" ;; + create) vault_create "$@" ;; + decrypt) vault_decrypt "$@" ;; + edit) vault_edit "$@" ;; + encrypt) vault_encrypt "$@" ;; + reencrypt) vault_reencrypt "$@" ;; + *) usage ;; +esac -- cgit v1.2.3