small pixel drawing of a pufferfish pa

contrib/pa-rekey

#!/bin/sh
#
# rotate keys and reencrypt passwords
#
# Reuse identities file: export PA_IDENTITIES=~/.local/share/pa/identities
# Reuse recipients file: export PA_RECIPIENTS=~/.local/share/pa/recipients

die() {
    printf '%s: %s.\n' "$(basename "$0")" "$1" >&2
    exit 1
}

age=$(command -v age || command -v rage) ||
    die "age not found, install per https://age-encryption.org"

age_keygen=$(command -v age-keygen || command -v rage-keygen) ||
    die "age-keygen not found, install per https://age-encryption.org"

# Restrict permissions of any new files to only the current user.
umask 077

basedir=${XDG_DATA_HOME:=$HOME/.local/share}/pa
: "${PA_DIR:=$basedir/passwords}"

realstore=$(realpath "$PA_DIR") ||
    die "Couldn't get path to password directory"

tmpdir=$basedir/tmp

mkdir "$tmpdir" ||
    die "Couldn't create temporary directory"

trap 'rm -rf "$tmpdir"; exit' EXIT
trap 'rm -rf "$tmpdir"; trap - INT; kill -s INT 0' INT

cp -Rp "$realstore" "$tmpdir/passwords" ||
    die "Couldn't copy password directory"

# Remove git repository for forward secrecy.
rm -rf "$tmpdir/passwords/.git"

[ "$PA_IDENTITIES" ] && cp "$PA_IDENTITIES" "$tmpdir/identities"
[ "$PA_RECIPIENTS" ] && cp "$PA_RECIPIENTS" "$tmpdir/recipients"

$age_keygen >>"$tmpdir/identities" 2>/dev/null
$age_keygen -y "$tmpdir/identities" >>"$tmpdir/recipients" 2>/dev/null

pa l | while read -r name; do
    pa s "$name" |
        $age -R "$tmpdir/recipients" -o "$tmpdir/passwords/$name.age" ||
        die "Couldn't encrypt $name.age"
done

trap - INT EXIT

rm -rf "$realstore" ||
    die "Couldn't remove password directory"

mv "$tmpdir/passwords" "$realstore"
mv "$tmpdir/identities" "$(realpath "$basedir/identities")"
mv "$tmpdir/recipients" "$(realpath "$basedir/recipients")"
rmdir "$tmpdir"

# Recreate git repository if needed.
pa l >/dev/null