diff options
Diffstat (limited to 'share')
| -rwxr-xr-x | share/keyringer/append | 6 | ||||
| -rwxr-xr-x | share/keyringer/commands | 10 | ||||
| -rwxr-xr-x | share/keyringer/decrypt | 3 | ||||
| -rwxr-xr-x | share/keyringer/edit | 15 | ||||
| -rwxr-xr-x | share/keyringer/encrypt | 31 | ||||
| -rwxr-xr-x | share/keyringer/genpair | 16 | ||||
| l--------- | share/keyringer/open | 1 | ||||
| -rwxr-xr-x | share/keyringer/preferences | 37 | ||||
| -rwxr-xr-x | share/keyringer/recrypt | 14 | ||||
| -rwxr-xr-x | share/keyringer/usage | 10 | ||||
| -rw-r--r-- | share/man/keyringer.1 | 94 | ||||
| -rw-r--r-- | share/man/keyringer.1.mdwn | 99 |
12 files changed, 322 insertions, 14 deletions
diff --git a/share/keyringer/append b/share/keyringer/append index 045ba86..bcc9e5e 100755 --- a/share/keyringer/append +++ b/share/keyringer/append @@ -32,4 +32,10 @@ for element in $(seq 0 $((${#NEW[@]} - 1))); do echo ${NEW[$element]} done | keyringer_exec encrypt-batch $BASEDIR $FILE +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" +fi + IFS="$OLDIFS" diff --git a/share/keyringer/commands b/share/keyringer/commands new file mode 100755 index 0000000..139725a --- /dev/null +++ b/share/keyringer/commands @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source "$LIB" || exit 1 + +keyringer_show_actions diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt index adc1134..bab9b34 100755 --- a/share/keyringer/decrypt +++ b/share/keyringer/decrypt @@ -12,3 +12,6 @@ keyringer_get_file "$2" # Decrypt $GPG --quiet --use-agent -d "$KEYDIR/$FILE" + +# Exit +exit "$?" diff --git a/share/keyringer/edit b/share/keyringer/edit index 10798e2..fe05ecc 100755 --- a/share/keyringer/edit +++ b/share/keyringer/edit @@ -22,10 +22,21 @@ keyringer_set_tmpfile edit # Decrypt the information to the file $GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" +if [ "$BASENAME" == "edit" ]; then + APP="$EDITOR" +elif [ "$BASENAME" == "open" ]; then + if which xdg-open &> /dev/null; then + APP="xdg-open" + else + echo "You should have xdg-open application to perform this action, aborting." + exit 1 + fi +fi + # Prompt -echo "Press any key to open the decrypted data in $EDITOR, Ctrl-C to abort" +echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" read key -"$EDITOR" "$TMPWORK" +$APP "$TMPWORK" # Encrypt again $GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt index da0941f..c0b7874 100755 --- a/share/keyringer/encrypt +++ b/share/keyringer/encrypt @@ -8,7 +8,18 @@ LIB="`dirname $0`/../../lib/keyringer/functions" source "$LIB" || exit 1 # Aditional parameters -keyringer_get_new_file "$2" +if [ ! -z "$3" ]; then + UNENCRYPTED_FILE="$2" + keyringer_get_new_file "$3" + + if [ ! -f "$UNENCRYPTED_FILE" ]; then + echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." + exit 1 + fi +else + UNENCRYPTED_FILE="-" + keyringer_get_new_file "$2" +fi # Set recipients file keyringer_set_recipients "$FILE" @@ -18,12 +29,26 @@ mkdir -p "$KEYDIR/`dirname $FILE`" if [ "$BASENAME" == "encrypt" ]; then # Only display directions if we're running encrypt, not encrypt-batch - echo "Type your message and finish your input with EOF (Ctrl-D)." + if [ "$UNENCRYPTED_FILE" == "-" ]; then + echo "Type your message and finish your input with EOF (Ctrl-D)." + fi +fi + +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE + +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" fi -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") - > "$KEYDIR/$FILE" +if [ "$UNENCRYPTED_FILE" != "-" ]; then + echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." +fi # Stage if [ -d "$BASEDIR/.git" ]; then keyringer_exec git "$BASEDIR" add "keys/$FILE" fi + +exit "$?" diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 85ec1ac..71ae86d 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -11,8 +11,8 @@ function genpair_ssh { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt - # TODO: programatically enter blank passphrase twice - ssh-keygen -t rsa -f "$TMPWORK/id_rsa" -C "root@$NODE" + # We're using empty passphrases + ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" # Encrypt the result echo "Encrypting secret key into keyringer..." @@ -70,7 +70,7 @@ EOF echo "Encrypting public key into keyringer..." $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" echo "Encrypting passphrase into keyringer..." - echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" + echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" # TODO: add outfiles into version control if [ ! -z "$OUTFILE" ]; then @@ -153,7 +153,7 @@ EOF if [ "$KEYTYPE" == "ssl-self" ]; then echo "Encrypting certificate into keyringer..." - cat "$NODE.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" + cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then # Remove any existing crt keyringer_exec del "$BASEDIR" "$FILE.crt" @@ -164,18 +164,18 @@ EOF if [ ! -z "$OUTFILE" ]; then # TODO: add outfiles into version control mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s.pem, %s.csr and %s.crt\n" "$OUTFILE" "$OUTFILE" "$OUTFILE" + printf "Saving copies at %s\n" "`dirname $OUTFILE`" cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" - if [ -f "$TMPWORK/$NODE.crt" ]; then - cat "$TMPWORK/$NODE.crt" > "$OUTFILE.crt" + if [ -f "$TMPWORK/${NODE}.crt" ]; then + cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" fi fi # Show cert fingerprint if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -noout -in "$TMPWORK/$NODE.crt" -fingerprint + openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint fi echo "Done" diff --git a/share/keyringer/open b/share/keyringer/open new file mode 120000 index 0000000..8491ab9 --- /dev/null +++ b/share/keyringer/open @@ -0,0 +1 @@ +edit
\ No newline at end of file diff --git a/share/keyringer/preferences b/share/keyringer/preferences new file mode 100755 index 0000000..2819b50 --- /dev/null +++ b/share/keyringer/preferences @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Manipulate preferences. +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source "$LIB" || exit 1 + +COMMAND="$2" + +if [ -z "$COMMAND" ]; then + echo "Usage: keyringer <keyring> preferences <command> [arguments]" + echo "Available commands:" + echo " ls" + echo " edit" + echo " add" + exit 1 +fi + +# Create options file if old repository +if [ ! -e "$PREFERENCES" ]; then + echo "Creating preferences file..." + touch "$PREFERENCES" +fi + +if [ "$COMMAND" == "ls" ]; then + cat "$PREFERENCES" +elif [ "$COMMAND" == "edit" ]; then + "$EDITOR" "$PREFERENCES" +elif [ "$COMMAND" == "add" ]; then + shift 2 + [[ -n $* ]] && echo $* >> "$PREFERENCES" +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt index cbf1af9..63f7bc6 100755 --- a/share/keyringer/recrypt +++ b/share/keyringer/recrypt @@ -14,12 +14,24 @@ function keyringer_recrypt { # Set recipients file keyringer_set_recipients "$FILE" + # Decrypt + decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" + + if [ "$?" != "0" ]; then + echo "Decryption error." + exit 1 + fi + # Recrypt - $GPG --use-agent -d "$KEYDIR/$FILE" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") > "$KEYDIR/$FILE" + recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" if [ "$?" != "0" ]; then + echo "Recryption error." exit 1 fi + + unset decrypted + echo "$recrypted" > "$KEYDIR/$FILE" } if [ ! -z "$2" ]; then diff --git a/share/keyringer/usage b/share/keyringer/usage new file mode 100755 index 0000000..a4602ac --- /dev/null +++ b/share/keyringer/usage @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source "$LIB" || exit 1 + +keyringer_usage diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 new file mode 100644 index 0000000..2eaa30d --- /dev/null +++ b/share/man/keyringer.1 @@ -0,0 +1,94 @@ +.TH KEYRINGER 1 "August 17, 2013" "Keyringer User Manual" +.SH NAME +.PP +keyringer - encrypted and distributed secret sharing software +.SH SYNOPSIS +.PP +keyringer <\f[I]keyring\f[]> <\f[I]action\f[]> [\f[I]options\f[]]... +.SH DESCRIPTION +.PP +Keyringer lets you manage and share secrets using GPG and git with +custom commands to encrypt, decrypt, recrypt, create key pairs, etc. +.SH ACTIONS +.PP +Keyringer has three types of actions: +.IP "1." 3 +Configuration actions. +.IP "2." 3 +Secret manipulation actions. +.IP "3." 3 +Repository lookup and manipulation actions. +.SS CONFIGURATION ACTIONS +.PP +commands : List available actions, useful for shell completion and +syntax check. +.PP +options <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> : List, edit or add +miscelaneous \f[I]repository options\f[]. +.PP +preferences <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> : List, edit or add +\f[I]user options\f[] for a given repository. +.PP +recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> : List +or edit recipient configuration. +.PP +usage : Show usage information. +.SS SECRET MANIPULATION ACTIONS +.PP +All secret manipulation actions operates upon a \f[I]SECRET\f[], which +is the pathname of an encrypted file relative to keyring with optional +\f[C]\&.asc\f[] extension. +.PP +Secret manipulation actions do not commit changes into the secret +repository. +After any manipulation, the user has to manually commit the changes. +.PP +append <\f[I]SECRET\f[]> : Append contents into a secret. +.PP +append-batch <\f[I]SECRET\f[]> : Append contents into a secret, batch +mode. +.PP +decrypt <\f[I]SECRET\f[]> : Decrypts a secret into standard output. +.PP +del <\f[I]SECRET\f[]> : Removes a secret using git. +After deleting a secret a git commit and push is still needed to update +remote repositories. +To completely remove a file from a keyring, you should also rewrite the +git history by yourself. +.PP +edit <\f[I]SECRET\f[]> : Edits a secret by temporarily decrypting it, +opening the decrypted copy into \f[I]$EDITOR\f[] and then recrypting it +again. +.PP +encrypt [\f[I]file\f[]] <\f[I]SECRET\f[]> : Encrypts content from +standard input or \f[I]file\f[] into \f[I]SECRET\f[]. +.PP +encrypt-batch <\f[I]SECRET\f[]> : Encrypt content, batch mode. +.PP +genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> +[\f[I]options\f[]] : Wrapper to generete encryption keypairs, useful for +automated key deployment. +.PP +open <\f[I]SECRET\f[]> : Open a secret using xdg-open. +.PP +recrypt <\f[I]SECRET\f[]> : Recrypts a secret by decrypting it and +recrypting again. +Useful when users are added into recipient configuration. +If no \f[I]SECRET\f[] is given, all secrets in the repository are +re-encrypted. +.SH REPOSITORY LOOKUP AND MANIPULATION ACTIONS +.PP +git <\f[I]action\f[]> <\f[I]options\f[]> : Git wrapper that operates +from the toplevel keyring repository. +.PP +ls <\f[I]PATH\f[]> : List contents from the toplevel repository +\f[I]keys\f[] folder or from relative \f[I]PATH\f[]. +.SH SEE ALSO +.PP +The \f[I]README\f[] file distributed with Keyringer contains full +documentation. +.PP +The Keyringer source code and all documentation may be downloaded from +<https://keyringer.pw>. +.SH AUTHORS +Silvio Rhatto. diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn new file mode 100644 index 0000000..14ae687 --- /dev/null +++ b/share/man/keyringer.1.mdwn @@ -0,0 +1,99 @@ +% KEYRINGER(1) Keyringer User Manual +% Silvio Rhatto +% August 17, 2013 + +# NAME + +keyringer - encrypted and distributed secret sharing software + +# SYNOPSIS + +keyringer <*keyring*> <*action*> [*options*]... + +# DESCRIPTION + +Keyringer lets you manage and share secrets using GPG and git with custom +commands to encrypt, decrypt, recrypt, create key pairs, etc. + +# ACTIONS + +Keyringer has three types of actions: + +1. Configuration actions. +2. Secret manipulation actions. +3. Repository lookup and manipulation actions. + +## CONFIGURATION ACTIONS + +commands +: List available actions, useful for shell completion and syntax check. + +options <*ls*|*edit*|*add*> +: List, edit or add miscelaneous *repository options*. + +preferences <*ls*|*edit*|*add*> +: List, edit or add *user options* for a given repository. + +recipients <*ls*|*edit*> <*recipient-file*> +: List or edit recipient configuration. + +usage +: Show usage information. + +## SECRET MANIPULATION ACTIONS + +All secret manipulation actions operates upon a *SECRET*, which is the pathname +of an encrypted file relative to keyring with optional `.asc` extension. + +Secret manipulation actions do not commit changes into the secret repository. +After any manipulation, the user has to manually commit the changes. + +append <*SECRET*> +: Append contents into a secret. + +append-batch <*SECRET*> +: Append contents into a secret, batch mode. + +decrypt <*SECRET*> +: Decrypts a secret into standard output. + +del <*SECRET*> +: Removes a secret using git. After deleting a secret a git commit and push is still + needed to update remote repositories. To completely remove a file from a keyring, + you should also rewrite the git history by yourself. + +edit <*SECRET*> +: Edits a secret by temporarily decrypting it, opening the decrypted copy into *$EDITOR* + and then recrypting it again. + +encrypt [*file*] <*SECRET*> +: Encrypts content from standard input or *file* into *SECRET*. + +encrypt-batch <*SECRET*> +: Encrypt content, batch mode. + +genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] +: Wrapper to generete encryption keypairs, useful for automated key deployment. + +open <*SECRET*> +: Open a secret using xdg-open. + +recrypt <*SECRET*> +: Recrypts a secret by decrypting it and recrypting again. Useful when users are added + into recipient configuration. If no *SECRET* is given, all secrets in the repository + are re-encrypted. + +# REPOSITORY LOOKUP AND MANIPULATION ACTIONS + +git <*action*> <*options*> +: Git wrapper that operates from the toplevel keyring repository. + +ls <*PATH*> +: List contents from the toplevel repository *keys* folder or from relative *PATH*. + +# SEE ALSO + +The *README* file distributed with Keyringer contains full documentation. + +The Keyringer source code and all documentation may be downloaded from +<https://keyringer.pw>. |