contrib/pa-rekey
#!/bin/sh # # rotate keys and reencrypt passwords # # Reuse identities file: export PA_IDENTITIES=~/.local/share/pa/identities # Reuse recipients file: export PA_RECIPIENTS=~/.local/share/pa/recipients basedir="${XDG_DATA_HOME:=$HOME/.local/share}/pa" : "${PA_DIR:=$basedir/passwords}" # Restrict permissions of any new files to only the current user. umask 077 [ "$PA_IDENTITIES" ] && cp "$PA_IDENTITIES" "$basedir/identities.tmp" [ "$PA_RECIPIENTS" ] && cp "$PA_RECIPIENTS" "$basedir/recipients.tmp" if age_keygen=$(command -v age-keygen || command -v rage-keygen); then $age_keygen >>"$basedir/identities.tmp" 2>/dev/null $age_keygen -y "$basedir/identities.tmp" >>"$basedir/recipients.tmp" 2>/dev/null fi age=$(command -v age || command -v rage) pa list | while read -r name; do pa show "$name" | $age -R "$basedir/recipients.tmp" -o "$PA_DIR/$name.tmp.age" mv "$PA_DIR/$name.tmp.age" "$PA_DIR/$name.age" done if [ "$age_keygen" ]; then mv "$basedir/identities.tmp" "$basedir/identities" mv "$basedir/recipients.tmp" "$basedir/recipients" fi if [ -z "${PA_NOGIT+x}" ] && [ -d "$PA_DIR/.git" ] && command -v git >/dev/null 2>&1; then git -C "$PA_DIR" add . && git -C "$PA_DIR" commit -m "rekey" fi