contrib/pa-rekey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/sh # # rotate keys and reencrypt passwords # # Reuse identities file: export PA_IDENTITIES=~/.local/share/pa/identities # Reuse recipients file: export PA_RECIPIENTS=~/.local/share/pa/recipients die() { printf 'error: %s.\n' "$1" >&2 exit 1 } age=$(command -v age || command -v rage) || die "age not found, install per https://age-encryption.org" age_keygen=$(command -v age-keygen || command -v rage-keygen) || die "age-keygen not found, install per https://age-encryption.org" # Restrict permissions of any new files to only the current user. umask 077 basedir=${XDG_DATA_HOME:=$HOME/.local/share}/pa : "${PA_DIR:=$basedir/passwords}" realstore=$(realpath "$PA_DIR") || die "Couldn't get path to password directory" tmpdir=$basedir/tmp mkdir "$tmpdir" || die "Couldn't create temporary directory" trap 'rm -rf "$tmpdir"; exit' EXIT trap 'rm -rf "$tmpdir"; trap - INT; kill -s INT 0' INT cp -Rp "$realstore" "$tmpdir/passwords" || die "Couldn't copy password directory" # Remove git repository for forward secrecy. rm -rf "$tmpdir/passwords/.git" [ "$PA_IDENTITIES" ] && cp "$PA_IDENTITIES" "$tmpdir/identities" [ "$PA_RECIPIENTS" ] && cp "$PA_RECIPIENTS" "$tmpdir/recipients" $age_keygen >>"$tmpdir/identities" 2>/dev/null $age_keygen -y "$tmpdir/identities" >>"$tmpdir/recipients" 2>/dev/null pa l | while read -r name; do pa s "$name" | $age -R "$tmpdir/recipients" -o "$tmpdir/passwords/$name.age" || die "Couldn't encrypt $name.age" done trap - INT EXIT rm -rf "$realstore" || die "Couldn't remove password directory" mv "$tmpdir/passwords" "$realstore" mv "$tmpdir/identities" "$(realpath "$basedir/identities")" mv "$tmpdir/recipients" "$(realpath "$basedir/recipients")" rmdir "$tmpdir" # Recreate git repository if needed. pa l >/dev/null