mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 23:58:29 +03:00
added ability to directly encrypt a specified file
This commit is contained in:
parent
f6291c5935
commit
cfb1ead5b0
1 changed files with 52 additions and 0 deletions
|
@ -13,6 +13,7 @@ function show_help () {
|
||||||
echo '-h, --help show help'
|
echo '-h, --help show help'
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
echo '-e, --edit FILE edits FILE using $EDITOR'
|
echo '-e, --edit FILE edits FILE using $EDITOR'
|
||||||
|
echo '-f, --encrypt FILE OUTPUT encrypts a given FILE to OUTPUT'
|
||||||
echo '-r, --rekey re-encrypts all secrets with specified recipients'
|
echo '-r, --rekey re-encrypts all secrets with specified recipients'
|
||||||
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
|
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
|
||||||
echo '-i, --identity identity to use when decrypting'
|
echo '-i, --identity identity to use when decrypting'
|
||||||
|
@ -47,6 +48,7 @@ test $# -eq 0 && (show_help && exit 1)
|
||||||
|
|
||||||
REKEY=0
|
REKEY=0
|
||||||
DECRYPT_ONLY=0
|
DECRYPT_ONLY=0
|
||||||
|
ENCRYPT_FILE=0
|
||||||
DEFAULT_DECRYPT=(--decrypt)
|
DEFAULT_DECRYPT=(--decrypt)
|
||||||
|
|
||||||
while test $# -gt 0; do
|
while test $# -gt 0; do
|
||||||
|
@ -65,6 +67,24 @@ while test $# -gt 0; do
|
||||||
fi
|
fi
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
-f|--encrypt)
|
||||||
|
shift
|
||||||
|
ENCRYPT_FILE=1
|
||||||
|
if test $# -gt 0; then
|
||||||
|
export FILE=$1
|
||||||
|
else
|
||||||
|
echo "no FILE specified"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
if test $# -gt 0; then
|
||||||
|
export OUTPUT=$1
|
||||||
|
else
|
||||||
|
echo "no OUTPUT specified"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
;;
|
||||||
-i|--identity)
|
-i|--identity)
|
||||||
shift
|
shift
|
||||||
if test $# -gt 0; then
|
if test $# -gt 0; then
|
||||||
|
@ -188,6 +208,37 @@ function edit {
|
||||||
mv -f "$REENCRYPTED_FILE" "$FILE"
|
mv -f "$REENCRYPTED_FILE" "$FILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function encrypt {
|
||||||
|
FILE=$1
|
||||||
|
OUTPUT=$2
|
||||||
|
KEYS=$(keys "$OUTPUT") || exit 1
|
||||||
|
|
||||||
|
if [ ! -f "$FILE" ]
|
||||||
|
then
|
||||||
|
warn "$FILE does not exist."
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
ENCRYPT=()
|
||||||
|
while IFS= read -r key
|
||||||
|
do
|
||||||
|
if [ -n "$key" ]; then
|
||||||
|
ENCRYPT+=(--recipient "$key")
|
||||||
|
fi
|
||||||
|
done <<< "$KEYS"
|
||||||
|
|
||||||
|
ENCRYPTED_DIR=$(@mktempBin@ -d)
|
||||||
|
ENCRYPTED_FILE="$ENCRYPTED_DIR/$(basename "$OUTPUT")"
|
||||||
|
|
||||||
|
ENCRYPT+=(-o "$ENCRYPTED_FILE")
|
||||||
|
|
||||||
|
@ageBin@ "${ENCRYPT[@]}" <"$FILE" || exit 1
|
||||||
|
|
||||||
|
mkdir -p "$(dirname "$FILE")"
|
||||||
|
|
||||||
|
mv -f "$ENCRYPTED_FILE" "$OUTPUT"
|
||||||
|
}
|
||||||
|
|
||||||
function rekey {
|
function rekey {
|
||||||
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
|
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
|
||||||
|
|
||||||
|
@ -201,4 +252,5 @@ function rekey {
|
||||||
|
|
||||||
[ $REKEY -eq 1 ] && rekey && exit 0
|
[ $REKEY -eq 1 ] && rekey && exit 0
|
||||||
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
|
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
|
||||||
|
[ $ENCRYPT_FILE -eq 1 ] && encrypt "$FILE" "$OUTPUT" && exit 0
|
||||||
edit "$FILE" && cleanup && exit 0
|
edit "$FILE" && cleanup && exit 0
|
||||||
|
|
Loading…
Reference in a new issue