small pixel drawing of a pufferfish dotfiles 

make show/edit more resilient, commit 1st rotation draft
j3s j3s@c3f.net
Thu, 28 Jan 2021 15:36:41 -0600
commit

dd924016c237ed1200c9869af85819c83a8ba751

parent

705565a04c4ab818dfe693ab4439c2e5b20fb383

1 files changed, 32 insertions(+), 13 deletions(-)

jump to
M bin/pabin/pa 
@@ -49,26 +49,42 @@ EOF
     printf '%s\n' "Saved '$name' to the store."
 }
 
+pw_rotate() {
+    if yn "Generate a new key and re-encrypt all of your passwords?"; then
+        mkdir -p ~/.age
+        printf "Old key saved at ~/.age/key.txt.bak"
+        mv ~/.age/key.txt ~/.age/key.txt.bak
+        age-keygen -o ~/.age/key.txt
+
+        cd "$PA_DIR"
+        for pass in *; do
+            printf "$pass\n"
+            ls -l "$pass"
+            cat "$pass"
+        done
+
+        printf "Completed rotation\n"
+    fi
+}
+
 pw_edit() {
     name=$1
 
-    if [ ! -f "$name.age" ]; then
-        die "Failed to access $name"
-    fi
+    [ -f "$name.age" ] || die "Failed to access $name"
 
     # we use /dev/shm because it's an in-memory
     # space that we can use to store private data,
     # and securely wipe it without worrying about
     # residual badness
-    if [ ! -d /dev/shm ]; then
-        die "Failed to access /dev/shm"
-    fi
+    [ -d /dev/shm ] || die "Failed to access /dev/shm"
 
     mkdir -p /dev/shm/pa
     trap 'rm -rf /dev/shm/pa' EXIT
     tmpfile="/dev/shm/pa/$name.txt"
 
-    age -i ~/.age/key.txt --decrypt "$1.age" > "$tmpfile"
+    age -i ~/.age/key.txt --decrypt "$1.age" 2>/dev/null > "$tmpfile" ||
+        die "Could not decrypt $1.age"
+
     "${EDITOR:-vi}" "$tmpfile"
 
     if [ ! -f "$tmpfile" ]; then

@@ -91,7 +107,8 @@ }
 }
 
 pw_show() {
-    age -i ~/.age/key.txt --decrypt "$1.age"
+    age -i ~/.age/key.txt --decrypt "$1.age" 2>/dev/null ||
+        die "Could not decrypt $1.age"
 }
 
 pw_list() {

@@ -163,6 +180,7 @@ => [a]dd  [name] - Create a new password, randomly generated
 => [d]el  [name] - Delete a password entry.
 => [e]dit [name] - Edit a password entry with $EDITOR.
 => [l]ist        - List all entries.
+=> [r]otate      - Generate a new age key, re-encrypt all passwords.
 => [s]how [name] - Show password for an entry.
 Password length:   export PA_LENGTH=50
 Password pattern:  export PA_PATTERN=_A-Z-a-z-0-9

@@ -216,11 +234,12 @@ # state on exit or Ctrl+C.
     [ -t 1 ] && trap 'stty echo icanon' INT EXIT
 
     case $1 in
-        a*) pw_add    "$2" ;;
-        d*) pw_del    "$2" ;;
-        e*) pw_edit   "$2" ;;
-        s*) pw_show   "$2" ;;
-        l*) pw_list        ;;
+        a*) pw_add  "$2" ;;
+        d*) pw_del  "$2" ;;
+        e*) pw_edit "$2" ;;
+        s*) pw_show "$2" ;;
+        l*) pw_list      ;;
+        r*) pw_rotate    ;;
         *)  usage
     esac
 }