ansible-gpg-vault/vault.sh

42 lines
1.1 KiB
Bash
Executable File

#!/bin/bash
set -e -u
# Keyserver to use. You need to trust this keyserver that the uid is not spoofed when receiving keys
KEYSERVER=""
# File which contains a list of fingerprints to receive and encrypt the vault for
KEY_FILE=""
REPO_BASE_PATH="$(dirname $0)/.."
# File in which the passphrase for the gpg vault is encrypted
VAULT_PASS_FILE="$REPO_BASE_PATH/gpg/vault_passphrase.gpg"
ACTION="$1"
# default action is vault decrypt
if [[ -z "$ACTION" ]]; then
ACTION="decrypt"
fi
case "$ACTION" in
"decrypt")
gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null
;;
"reencrypt")
gpg2 --batch --use-agent --output $REPO_BASE_PATH/gpg/vault_passphrase --decrypt $VAULT_PASS_FILE
CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
for FINGERPRINT in $(cat KEY_FILE) do
CMD="$CMD --recipient $FINGERPRINT"
done
CMD="$CMD --encrypt $REPO_BASE_PATH/gpg/vault_passhphrase"
$($CMD)
;;
"init")
mkdir -p $REPO_BASE_PATH/gpg
touch $REPO_BASE_PATH/gpg/vault_passphrase
touch $REPO_BASE_PATH/gpg/$KEY_FILE
;;
esac