finallycoffee/ansible-gpg-vault
finallycoffee/ansible-gpg-vault
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ansible-gpg-vault: add init script, enable adding users and reencrypting

Browse Source
This commit is contained in:
Johanna Dorothea Reichmann 2020-06-07 16:38:50 +02:00
parent 50350b4bed
commit ebd2c819ec
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
1 changed files with 73 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
vault.sh
View File

@ -4,38 +4,92 @@ set -e -u
# Keyserver to use. You need to trust this keyserver that the uid is not spoofed when receiving keys # Keyserver to use. You need to trust this keyserver that the uid is not spoofed when receiving keys
KEYSERVER="" KEYSERVER=""
# File which contains a list of fingerprints to receive and encrypt the vault for
KEY_FILE="" REPO_BASE_PATH="`pwd`/../ansible-gpg-vault-store"
REPO_BASE_PATH="$(dirname $0)/.."
# File in which the passphrase for the gpg vault is encrypted # File in which the passphrase for the gpg vault is encrypted
VAULT_PASS_FILE="$REPO_BASE_PATH/gpg/vault_passphrase.gpg" VAULT_PASS_FILE="$REPO_BASE_PATH/vault_passphrase.gpg"
# File which contains a list of fingerprints to receive and encrypt the vault for
KEY_FILE="$REPO_BASE_PATH/gpg_ids.list"
VAULT_PASS_RAW_FILE="$REPO_BASE_PATH/vault_passphrase"
# Length of the generated passphrase
VAULT_PASS_LENGTH="128"
ACTION="$1" # Default action is vault decrypt
# default action is vault decrypt if [ $# -eq 0 ]; then
if [[ -z "$ACTION" ]]; then
ACTION="decrypt" ACTION="decrypt"
fi else
ACTION="$1"
fi;
addUser() {
USER="$1"
echo "grep for user $USER"
grep "$USER" $KEY_FILE
echo "rc=$?"
if ! grep -q "$USER" $KEY_FILE; then
echo "$USER" >> $KEY_FILE
else
echo "WARNING: user '$USER' already in key file"
fi;
reencrypt
}
reencrypt() {
gpg2 --batch --use-agent --output "$VAULT_PASS_RAW_FILE" --decrypt "$VAULT_PASS_FILE"
rm -v $VAULT_PASS_FILE
CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
for ID in $(cat $KEY_FILE); do
CMD="$CMD --recipient $ID";
done
CMD="$CMD --encrypt $VAULT_PASS_RAW_FILE"
$($CMD)
RC=$?
rm -v $VAULT_PASS_RAW_FILE
return "$RC"
}
decrypt() {
if [[ ! -f "$VAULT_PASS_FILE" ]]; then
echo "ERROR: vault script not initialised"
exit -1;
fi;
gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null
}
case "$ACTION" in case "$ACTION" in
"decrypt") "decrypt")
gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null decrypt
;; ;;
"reencrypt") "reencrypt")
gpg2 --batch --use-agent --output $REPO_BASE_PATH/gpg/vault_passphrase --decrypt $VAULT_PASS_FILE reencrypt
CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
for FINGERPRINT in $(cat KEY_FILE) do
CMD="$CMD --recipient $FINGERPRINT"
done
CMD="$CMD --encrypt $REPO_BASE_PATH/gpg/vault_passhphrase"
$($CMD)
;; ;;
"init") "init")
mkdir -p $REPO_BASE_PATH/gpg mkdir $REPO_BASE_PATH
touch $REPO_BASE_PATH/gpg/vault_passphrase if [[ ! -e "$VAULT_PASS_RAW_FILE" ]] && [[ ! -s "$VAULT_PASS_FILE" ]]; then
touch $REPO_BASE_PATH/gpg/$KEY_FILE dd if=/dev/random bs=1 count=$VAULT_PASS_LENGTH 2>/dev/null \
| base64 -w 0 | rev | cut -b 2- | rev \
> $VAULT_PASS_RAW_FILE
else
echo "WARNING: File not empty, not overwriting potential existing keyphrase"
exit -1;
fi;
touch $KEY_FILE
echo "Specify the inital user who may access the vault"
read -p "GPG user id: " GPG_USER
echo "$GPG_USER" >> $KEY_FILE
CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE --recipient $GPG_USER --encrypt $VAULT_PASS_RAW_FILE"
$($CMD)
rm -v $VAULT_PASS_RAW_FILE
;; ;;
"add")
if [ $# -eq 2 ]; then
USER="$2"
else
read -p "GPG user id to add: " GPG_USER
fi;
addUser $USER
esac esac