contrib/pa-rekey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/sh
#
# rotate keys and reencrypt passwords
#
# Reuse identities file: export PA_IDENTITIES=~/.local/share/pa/identities
# Reuse recipients file: export PA_RECIPIENTS=~/.local/share/pa/recipients
die() {
printf 'error: %s.\n' "$1" >&2
exit 1
}
age=$(command -v age || command -v rage) ||
die "age not found, install per https://age-encryption.org"
age_keygen=$(command -v age-keygen || command -v rage-keygen) ||
die "age-keygen not found, install per https://age-encryption.org"
# Restrict permissions of any new files to only the current user.
umask 077
basedir="${XDG_DATA_HOME:=$HOME/.local/share}/pa"
: "${PA_DIR:=$basedir/passwords}"
[ "$PA_IDENTITIES" ] && cp "$PA_IDENTITIES" "$basedir/identities.tmp"
[ "$PA_RECIPIENTS" ] && cp "$PA_RECIPIENTS" "$basedir/recipients.tmp"
$age_keygen >>"$basedir/identities.tmp" 2>/dev/null
$age_keygen -y "$basedir/identities.tmp" >>"$basedir/recipients.tmp" 2>/dev/null
pa list | while read -r name; do
pa show "$name" | $age -R "$basedir/recipients.tmp" -o "$PA_DIR/$name.tmp.age"
mv "$PA_DIR/$name.tmp.age" "$PA_DIR/$name.age"
done
mv "$basedir/identities.tmp" "$basedir/identities"
mv "$basedir/recipients.tmp" "$basedir/recipients"
# Recreate git repository for forward secrecy.
[ -d "$PA_DIR/.git" ] && rm -rf "$PA_DIR/.git" && pa list >/dev/null