M bin/pa → bin/pa

@@ -43,13 +43,36 @@ #
     # Heredocs are sometimes implemented via temporary files,
     # however this is typically done using 'mkstemp()' which
     # is more secure than a leak in '/proc'.
-    pubkey=$(sed -n 's/.*\(age\)/\1/p' ~/.age/key.txt)
     age -r "$pubkey" -o "$name.age" <<-EOF &&
-		$pass
+        $pass
 	EOF
     printf '%s\n' "Saved '$name' to the store."
 }
 
+pw_edit() {
+    name=$1
+
+    # we use /dev/shm because it's an in-memory
+    # space that we can use to store private data,
+    # and securely wipe it without worrying about
+    # residual badness
+    if [ ! -d /dev/shm ]; then
+        die "Failed to access /dev/shm"
+    fi
+
+    mkdir -p /dev/shm/pa
+    trap 'rm -rf /dev/shm/pa' EXIT
+    tmpfile="/dev/shm/pa/$name.txt"
+
+    "${EDITOR:-vi}" "$tmpfile"
+
+    if [ ! -f $tmpfile ]; then
+        die "New password not saved"
+    fi
+
+    age -r "$pubkey" -o "$name.age" "$tmpfile"
+}
+
 pw_del() {
     yn "Delete pass file '$1'?" && {
         rm -f "$1.age"
@@ -132,6 +155,7 @@ usage() { printf %s "\
 pa 0.1.0 - age-based password manager
 => [a]dd  [name] - Create a new password, randomly generated
 => [d]el  [name] - Delete a password entry.
+=> [e]dit [name] - Edit a password entry with $EDITOR.
 => [l]ist        - List all entries.
 => [s]how [name] - Show password for an entry.
 Password length:   export PA_LENGTH=50
@@ -176,6 +200,8 @@ 
     glob "$2" '*/*' && { mkdir -p "${2%/*}" ||
         die "Couldn't create category '${2%/*}'"; }
 
+    pubkey=$(sed -n 's/.*\(age\)/\1/p' ~/.age/key.txt)
+
     # Restrict permissions of any new files to
     # only the current user.
     umask 077
@@ -187,6 +213,7 @@ 
     case $1 in
         a*) pw_add  "$2" ;;
         d*) pw_del  "$2" ;;
+        e*) pw_edit "$2" ;;
         s*) pw_show "$2" ;;
         l*) pw_list ;;
         *)  usage